Python Backdoor Delivered via MSBuild Dropper Used by Elephant Hacker Group in Defense Sector Attacks

Indian-aligned hacking group Dropping Elephant has been linked to a new cyber-espionage campaign deploying a stealthy Python-based backdoor against Pakistan’s defense sector.

The operation uses phishing emails, living-off-the-land binaries, and a custom embedded Python runtime to establish long-term access to high-value networks quietly.

The campaign begins with spear-phishing emails tailored to Pakistan’s defense and military ecosystem, including entities tied to the National Radio and Telecommunication Corporation (NRTC).

These emails deliver a ZIP archive that contains a malicious MSBuild project file and a decoy PDF document named “decmeMett.pdf,” designed to mimic legitimate defense-related content.

Python Backdoor Delivered via MSBuild

Instead of using a traditional executable, the attackers abuse Microsoft’s MSBuild.exe, a trusted Windows development tool, as a LOLBIN (living-off-the-land binary).

When the user opens the malicious shortcut or project file, MSBuild executes embedded scripts that act as the Stage-1 dropper.

This first-stage component performs dynamic API resolving and uses UTF-reversed strings for obfuscation, making static detection harder.

It downloads a set of files into the Windows Tasks directory, including a renamed Python interpreter (pythonw.exe) and Python runtime DLLs such as python310.dll.

It also drops the decoy PDF, opens it later to reduce suspicion, then deletes the original ZIP archive to cover its tracks.

Persistence is achieved by creating scheduled tasks via SCHTASKS with benign-looking names such as “KeyboardDrivers,” “MsEdgeDrivers,” and “MicrosoftEdgeUpdate2Network.”

These tasks are configured to launch the Python interpreter silently in the background, using pythonw.exe so that no console window appears to the victim.

Stealth Marshalled-Python RAT

In the next phase, the malware deploys an embedded Python runtime under the user profile, typically at:

C:Users<User>AppDataLocalPythonVersion3

This folder contains pythonw.exe, multiple Python DLLs (python313.dll, python310.dll, python3.dll), Microsoft Visual C++ runtime DLLs, and a fake DLL file named python2_pycache_.dll.

Despite its extension, this “DLL” actually stores marshalled Python bytecode rather than a standard Windows library.

The scheduled tasks execute a command similar to:

pythonw.exe python2_pycache_.dll

The modified PyInstaller-style loader interprets the file and runs the hidden Python RAT. Because the payload is marshalled bytecode rather than plain .py files, reverse engineering becomes more difficult, and traditional script-based detection is less effective.

Once active, the backdoor establishes command-and-control communication with attacker infrastructure, including domains such as nexnxky[.]info and upxvion[.]info.

From there, operators can perform espionage activities, exfiltrate sensitive documents, and move laterally inside defense and military R&D networks.

Threat researchers assess with high confidence that this activity belongs to Patchwork APT, also known as Dropping Elephant, an India-aligned group long associated with targeting Pakistan’s military, defense, and government sectors.

The use of MSBuild, geofenced targeting, and a custom marshalled-Python backdoor highlights the group’s ongoing investment in stealthy, tailored tooling for regional cyber-espionage.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Python Backdoor Delivered via MSBuild Dropper Used by Elephant Hacker Group in Defense Sector Attacks appeared first on Cyber Security News.