Dropping Elephant Uses GoogleErrorReport Scheduled Task to Keep New RAT Active

Dropping Elephant is using a malicious Windows shortcut, DLL side-loading, and a scheduled task named GoogleErrorReport to keep a new memory-resident remote access trojan active on infected Windows systems.

The campaign was detailed by Rapid7, which found a China-themed loader chain built around a lure file named GRES3001.lnk. The shortcut is disguised as a PDF linked to an industrial energy contract.

When opened, the shortcut runs an obfuscated PowerShell downloader in the background while showing the victim a decoy GRES-3 seawater pump contract document. The malware then stages its files, loads the final payload in memory, and creates a persistence mechanism that runs every minute.

The attack starts with a fake PDF shortcut

The first-stage file is not a normal PDF. It is a Windows shortcut file designed to look like one. It uses an Edge-style icon and launches PowerShell through conhost.exe, helping the command chain blend into normal Windows activity.

The PowerShell command downloads multiple files from the staging domain chinagreenenergy[.]org. The downloaded files include a decoy PDF, a legitimate Microsoft binary named Fondue.exe, a malicious APPWIZ.cpl loader, runtime DLLs, and an encrypted payload file named editor.dat.

Microsoft’s fondue command documentation describes fondue.exe as a Windows tool used to enable optional Windows features. In this campaign, attackers abuse the legitimate binary as part of a side-loading chain rather than using it for its intended administrative purpose.

Attack stage	What happens	Defensive signal
Initial access	GRES3001.lnk runs an obfuscated PowerShell downloader	LNK file spawning PowerShell or conhost.exe
Staging	Files are downloaded from chinagreenenergy[.]org	Unexpected downloads into public or task-related folders
Side-loading	Fondue.exe loads malicious APPWIZ.cpl	Fondue.exe executing outside normal Windows feature workflows
Payload loading	editor.dat is decrypted and loaded through Donut shellcode	Memory-only execution and RWX memory allocation
Persistence	GoogleErrorReport runs Fondue.exe every minute	Suspicious scheduled task from C:\Users\Public

GoogleErrorReport is the main persistence mechanism

After the files are staged, the malware creates a scheduled task named GoogleErrorReport. The name is meant to look routine, but Rapid7 says the task is configured to repeatedly run Fondue.exe from the staged location.

This allows the DLL side-loading chain to restart the malware if it is interrupted. The original shortcut is then deleted, removing the most obvious file that started the infection.

The behavior maps closely to the MITRE ATT&CK Windows Scheduled Task technique, which describes how attackers abuse scheduled tasks to run malicious code at startup, on logon, or on a recurring schedule for persistence.

• Look for a scheduled task named GoogleErrorReport.
• Check whether the task runs Fondue.exe from C:\Users\Public or another unusual path.
• Investigate shortcut files that launch PowerShell or conhost.exe.
• Review downloads from chinagreenenergy[.]org and connections to gcl-power[.]org.
• Search for APPWIZ.cpl, editor.dat, and suspicious runtime DLLs staged outside normal application directories.

The RAT runs in memory and communicates over HTTPS

The malware does not simply drop a normal executable and run it from disk. The loader decrypts editor.dat and passes the result to a Donut shellcode loader, which maps the RAT directly into memory.

This matters because memory-only execution can reduce the value of file-based detection. Security tools may still catch the behavior, but teams need telemetry that sees suspicious process behavior, memory allocation, script activity, and in-process tampering.

Once active, the RAT connects to gcl-power[.]org over HTTPS on port 443. It checks in every 10 seconds and supports commands for file listing, command execution, screenshot capture, uploads, and downloads.

RAT capability	What it allows
Command execution	Lets the operator run commands on the infected system
File listing	Helps the attacker browse directories and identify useful files
Screenshot capture	Lets the operator view activity on the victim machine
Upload support	Allows additional tools or payloads to be added
Download support	Allows stolen files or collected data to leave the system

DLL side-loading helps the campaign blend in

DLL side-loading is a common way to abuse trusted binaries. Attackers place a malicious library where a legitimate program will load it, allowing malicious code to run under the cover of a trusted executable.

The technique aligns with MITRE ATT&CK DLL Side-Loading, which explains how adversaries can hijack the way programs load libraries to execute their own payloads and evade defenses.

In this campaign, Fondue.exe gives the loader chain a legitimate-looking parent process. The suspicious part is not that Fondue.exe exists on Windows, but that it appears in an unusual execution chain with APPWIZ.cpl, staged files, and a recurring scheduled task.

• Fondue.exe should normally relate to Windows optional feature activity.
• Fondue.exe running from or interacting with C:\Users\Public should be reviewed.
• APPWIZ.cpl outside expected Windows locations is suspicious.
• DLL and CPL loading behavior should be correlated with parent process, path, and command line.
• Security teams should not trust signed binaries when their execution context looks abnormal.

The RAT includes several anti-analysis features

Rapid7 found that the final RAT includes multiple evasion techniques. It uses control-flow flattening to make code harder to read, resolves API functions at runtime, and checks for debugging or sandbox-related processes.

The malware also patches Windows security-related features such as AMSI, WLDP, and ETW before running its payload. These steps can make analysis harder and may reduce visibility for security products that rely on those inspection paths.

Before connecting to its command server, the RAT checks connectivity by reaching common websites such as google.com, yahoo.com, and cloudflare.com. It also queries api.ipify.org for the public IP address and ip2c.org for country information.

Behavior	Purpose
Control-flow flattening	Makes reverse engineering more difficult
Runtime API resolution	Reduces obvious imports for static analysis
Debugger and sandbox checks	Attempts to detect analysis environments
AMSI, WLDP, and ETW patching	Attempts to weaken Windows inspection and logging paths
Salsa20 and Base64 traffic handling	Makes command traffic harder to inspect directly

Defenders should hunt behavior, not just IOCs

Static indicators can help with immediate blocking, but this campaign shows why defenders should focus on behavior. Domains, hashes, filenames, and URL paths can change quickly. The execution pattern is harder for attackers to replace completely.

The strongest detection opportunities include a shortcut spawning PowerShell, downloads into public folders, Fondue.exe involved in unusual side-loading behavior, and the GoogleErrorReport scheduled task running from a nonstandard location.

The Rapid7 analysis also advises defenders to move beyond IOCs and watch for loader-chain behavior, memory-resident payload execution, and in-process tampering with Windows defensive controls.

• Block or alert on LNK files that spawn PowerShell.
• Monitor PowerShell for obfuscated download commands.
• Alert on scheduled task creation with the name GoogleErrorReport.
• Review Fondue.exe executions that involve user-writable directories.
• Detect APPWIZ.cpl loading from C:\Users\Public or temporary folders.
• Search for editor.dat under C:\Windows\Tasks or other unusual paths.
• Monitor HTTPS traffic to gcl-power[.]org and staging traffic to chinagreenenergy[.]org.
• Review suspicious memory allocation, AMSI patching, ETW patching, and unexpected screenshot activity.

Scheduled tasks remain a reliable persistence method because they are built into Windows and often overlooked in busy environments. The MITRE scheduled task guidance makes clear that attackers use this feature to run malicious code repeatedly or under specific account contexts.

Likewise, the campaign’s use of a legitimate Windows binary shows why defenders need context-aware monitoring. The Microsoft fondue.exe documentation helps establish what normal usage should look like, while MITRE’s DLL side-loading entry explains why attackers often hide behind trusted programs.

FAQ