A new hacker group has been tracked to attacks targeting human rights, activists, human rights defenders, academics, and lawyers in India. The attacks attempt to drop “incriminating digital evidence.” 

Sentinel Group has traced the attacks to a group called “Modified elephant, a difficult to track threat group which has been active since 2012. The group’s activities are aligned with the state’s interests.

“ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry,” the researchers said. “The threat actor uses spear-phishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers.

The group allows tracking activities of targets for a long period, which leads to planting evidence on the victim’s compromised systems. The evidence was planted for targeting and imprisoning the opponents.


The attack infects the targets via spear-phishing emails. The spear-phishing emails have topics concerning activism, climate change, and politics and contain malicious Microsoft Office document attachments or links. These documents are hosted externally and can install malware that can take control of the targeted systems.

“The phishing emails take many approaches to gain the appearance of legitimacy,” the researchers said. “This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.”

Also distributed using phishing emails is an unidentified commodity trojan targeting Android that enables the attackers to intercept and manage SMS and call data, wipe or unlock the device, perform network requests, and remotely administer the infected devices. SentinelOne characterized it as an “ideal low-cost mobile surveillance toolkit.”

“This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally- specific targeting,” the researchers said.