Skip to main content
Mallory
Back to threat actors
5 malware families

Fishing Elephant

Also known asFishing Elephant

Fishing Elephant is an India-linked cyber-espionage threat actor tracked in reporting alongside the cluster Arctic Wolf calls Sloppy Lemming and also connected by researchers to Outrider Tiger. Reporting cited in the source material links Fishing Elephant to campaigns targeting organizations in South and Southeast Asia, with a focus on nuclear, defense, logistics, and telecommunications providers; broader Sloppy Lemming reporting also describes targeting of nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh. One cited campaign attributed to Fishing Elephant used phishing to deliver AresRAT. The source material further states that India-linked espionage activity in this ecosystem relies heavily on phishing and credential theft, and that related activity has used PDF lures, macro-enabled Excel documents, Rust-based tooling, and cloud/edge-hosted command-and-control infrastructure such as Cloudflare Workers. Kaspersky also lists Fishing Elephant among India-nexus groups and distinguishes other clusters such as Dropping Elephant and Mysterious Elephant as separate actors.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • government
  • diplomacy
MITRE ATT&CK

Tradecraft

32 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics48 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.001×2
Domains
T1587
Develop Capabilities
T1587.001
Malware
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×3
Spearphishing Attachment
T1566.002×2
Spearphishing Link
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.005×2
Visual Basic
T1204
User Execution
T1204.002
Malicious File
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
5 techniques
T1027
Obfuscated Files or Information
T1027.002
Software Packing
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1140×2
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.007
Msiexec
T1574
Hijack Execution Flow
T1574.001
DLL
TA0006
Credential Access
2 techniques
T1056
Input Capture
T1056.001×2
Keylogging
T1555
Credentials from Password Stores
TA0007
Discovery
4 techniques
T1046
Network Service Discovery
T1057
Process Discovery
T1082
System Information Discovery
T1083
File and Directory Discovery
TA0009
Collection
3 techniques
T1056
Input Capture
T1056.001×2
Keylogging
T1113×2
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1090.001
Internal Proxy
T1090.003
Multi-hop Proxy
T1102
Web Service
T1102.002
Bidirectional Communication
T1571
Non-Standard Port
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AresRAT“deliver its tool of choice, AresRAT.”1Mar 18, 2026
BurrowShell"...executed a custom x64 shellcode implant that Arctic Wolf has named BurrowShell. BurrowShell is a full-featured backdoor providing the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling."1Mar 2, 2026
Cobalt Strike"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..."1Mar 2, 2026
Havoc"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."1Mar 2, 2026
NekroWire RAT"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT."1Mar 2, 2026
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping32

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.