Explained: What we know of hacking group ModifiedElephant

American cybersecurity firm SentinelOne has released a report on ModifiedElephant—a hacking group that allegedly planted incriminating evidence on the personal devices of Indian journalists, human rights activists, human rights defenders, academics and lawyers.

According to the report, ModifiedElephant maliciously targeted specific groups and individuals, including the activists arrested in the Bhima Koregaon case of 2018. It called the incident ‘one of the most serious cases of evidence tampering’ that the firm had ever encountered.

As per the digital forensic investigation results publicly released by Arsenal Consulting, SentinelOne was able to uncover ‘a decade of persistent malicious activity’ that they attribute to a threat actor that has never been identified before: ModifiedElephant.

How does ModifiedElephant deploy malware to its targets? According to the report, ModifiedElephant operators have been infecting their targets using spearphishing emails with malicious file attachments over the last decade, with their techniques getting more sophisticated over time.


Spearphishing refers to the practice of sending emails to targets that look like they are coming from a trusted source to either reveal important information or install different kinds of malware on their computer systems.

ModifiedElephant typically weaponises malicious Microsoft Office files to deliver malware to their targets. According to SentinelOne, the specific method and payload included in the malicious files have changed over the years:

  • In mid-2013, the actor(s) used emails containing executable files with fake double extensions (filename.pdf.exe)
  • After 2015, the actor(s) moved on to using less obvious files with publicly available exploits, including those with .doc, .pps, .docx and .rar extensions. These attempts involved using legitimate documents in these formats to capture user attention while the malware executes 
  • In the 2019 spearphishing attacks, operators began emailing links to files hosted externally. 

According to SentinelOne, lure documents often used the CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits which affected Microsoft Office Suite programmes,…