MemLoader
MemLoader is a backdoor referenced in reporting on a cyber-espionage campaign attributed to the Mysterious Elephant APT. The available content states that it was a new backdoor used in an operation targeting South Asian diplomacy and that the campaign involved theft of WhatsApp data. Visible metadata further associates the activity with cyber-espionage, data theft, Pakistan, and the use of BabShell alongside MemLoader modules. Based on the provided content, high-confidence details are limited to its role as a newly identified backdoor in this campaign; no additional technical behavior, infection vector, platform specificity, or indicators of compromise are provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mysterious Elephant APT Campaign Targets South Asian Diplomacy, Steals WhatsApp Data with New MemLoader Backdoor
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly referenced backdoor used in a cyber-espionage campaign targeting South Asian diplomacy and stealing WhatsApp data.
Customized loader module used by the Mysterious Elephant APT in recent campaigns (exact functionality not detailed in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.