Unidentified 125 is a sophisticated memory-resident remote access trojan (RAT) associated with the Dropping Elephant threat actor group. This 32-bit C++ implant represents a significant evolution in malware design, employing extensive obfuscation techniques and anti-analysis mechanisms that allow it to operate entirely in memory without touching the disk. Originally loaded through the Donut framework, this RAT is engineered specifically to evade detection by security software while providing attackers complete remote control of infected Windows systems.
First documented by Rapid7 researchers in connection with targeted espionage campaigns, Unidentified 125 demonstrates capabilities far beyond typical commodity malware. Its control-flow flattening, dynamic API resolution, and statically-linked C runtime make reverse engineering exceptionally difficult, while built-in checks for debuggers, sandboxes, and virtual environments allow it to remain dormant when security researchers attempt analysis.
Threat Profile
| Threat Name | Unidentified 125 (RAT, Dropping Elephant) |
| Threat Type | Remote Access Trojan (RAT) / Memory-resident implant |
| Target Platform | Windows (32-bit PE executable, runs on 64-bit systems) |
| File Type | Windows PE executable (typically loaded via Donut shellcode) |
| First Documented | Linked to Dropping Elephant campaigns (analysis updated June 2026) |
| Attribution | Dropping Elephant APT group (suspected state-sponsored) |
| Communication Method | HTTPS with encrypted command-and-control channels |
| Primary Capabilities | Remote command execution, system fingerprinting, process enumeration, data exfiltration |
| Persistence Mechanism | Varies (often memory-only during active sessions, relies on loader for re-injection) |
| Evasion Techniques | Anti-debugging, anti-sandbox, anti-VM, control-flow flattening, dynamic API resolution |
| Detection Difficulty | Very High (designed specifically to evade automated analysis) |
| Risk Level | Critical (full system compromise with data theft capabilities) |
How It Spreads
Unidentified 125 is not distributed through mass-spam campaigns or drive-by downloads like common malware. Instead, it represents targeted attack infrastructure deployed against specific individuals or organizations of intelligence interest. The Dropping Elephant group—believed to be a state-sponsored actor—carefully selects victims and employs social engineering tactics tailored to each target's profile, interests, and vulnerabilities.
The RAT typically arrives through the Donut framework, a sophisticated shellcode generation tool that converts PE executables into position-independent code for in-memory execution. This loader may be delivered through several initial access vectors, each designed to appear legitimate until the payload executes silently in the background.
- Spear-phishing emails with weaponized Microsoft Office documents containing malicious macros or exploits that download and execute the Donut loader
- Compromised legitimate websites used as watering holes, targeting visitors from specific organizations or geographic regions
- Trojanized software installers disguised as legitimate applications, often related to regional interests or professional tools relevant to the target
- USB drives and removable media containing autorun malware or disguised executables, particularly effective in air-gapped or security-conscious environments
- Exploitation of unpatched vulnerabilities in public-facing services, allowing direct remote code execution without user interaction
- Supply chain compromise where legitimate software update mechanisms are hijacked to distribute malicious payloads to specific customer segments
What It Does On Your Machine
Once executed, Unidentified 125 operates entirely in memory without writing traditional files to disk—a technique called "fileless malware" that makes detection and forensic analysis significantly more challenging. The RAT immediately performs a series of anti-analysis checks, examining the host environment for signs of virtualization (VMware, VirtualBox, Hyper-V), sandbox analysis tools (Cuckoo, Joe Sandbox), debuggers (OllyDbg, x64dbg, WinDbg), and even geographic location. If it detects any red flags suggesting a security researcher's environment rather than a genuine victim, it may terminate silently or remain dormant, revealing nothing about its capabilities.
Assuming the environment passes these checks, the malware conducts comprehensive system fingerprinting. It collects detailed information about your computer's hardware configuration, operating system version and patch level, installed security software, user account names, domain membership, and complete process listings. This intelligence helps attackers understand what data might be available on the compromised system and what tools they have at their disposal for lateral movement within a network.
The RAT establishes encrypted HTTPS connections to its command-and-control infrastructure, making its traffic blend in with normal web browsing. Because it uses legitimate encryption protocols and often mimics the connection patterns of popular web services, network security devices may not flag these communications as suspicious. The malware awaits instructions from its operators, who can then remotely execute commands, download additional tools, capture screenshots, log keystrokes, enumerate files, steal credentials, and exfiltrate sensitive documents—all while leaving minimal forensic evidence on the disk.
Because Unidentified 125 resides entirely in RAM, a simple system reboot will remove the active infection—but only temporarily. If the initial loader remains present (through a scheduled task, registry autorun entry, or infected document that gets reopened), the RAT will be reinjected into memory on the next system start or when the trigger condition occurs. This makes thorough removal more complex than dealing with traditional file-based malware.
Manual Removal — Step by Step
Disconnect from the Network Immediately
Physically unplug your ethernet cable or disable your Wi-Fi adapter through the hardware switch (not just Windows settings). This severs the connection between the RAT and its command-and-control server, preventing further data theft or the download of additional malicious tools. Keep the system offline throughout the entire removal process.
Boot Into Safe Mode with Networking
Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) before Windows loads. Select "Safe Mode with Networking" from the boot options menu. This loads Windows with minimal drivers and startup programs, which often prevents the initial loader from re-executing the RAT. You'll need networking enabled to download updated security tools in subsequent steps.
Update and Run Multiple Anti-Malware Scanners
Download and install Malwarebytes, HitmanPro, and ESET Online Scanner while still in Safe Mode. Update each tool's definitions to the latest version before scanning. Run full system scans with all three—one scanner may catch components another misses, especially with sophisticated threats like this. Because the RAT operates in memory and the initial loader may use polymorphic techniques, multiple scanning engines increase your chances of detection. Quarantine everything flagged as suspicious.
Check Scheduled Tasks and Startup Locations
Open Task Scheduler (taskschd.msc) and review all scheduled tasks, looking for entries with suspicious names, unusual trigger times, or commands that launch PowerShell, mshta.exe, or rundll32.exe with encoded parameters. Check common autorun locations: run msconfig and examine the Startup tab, then use Autoruns from Sysinternals (download it in Safe Mode) to see everything configured to launch at boot. Delete any unfamiliar or obviously malicious entries.
Search for Donut Loader Artifacts
Because Unidentified 125 typically arrives via Donut shellcode, search your system for potential loader files. Check your Downloads folder, Temp directories (C:\Windows\Temp, C:\Users\[YourName]\AppData\Local\Temp), and recent Office document directories for suspicious files. Look for executables or DLLs with random names, files with double extensions (like document.pdf.exe), or Office documents from unknown senders. Delete anything suspicious after backing up to an external drive for potential forensic review.
Review Recent Office Documents and Macros
If you opened any Microsoft Word, Excel, or PowerPoint files around the time of infection, review them carefully. Open each document in Safe Mode (hold Shift while double-clicking) to prevent macros from executing automatically. Check for embedded macros by pressing Alt+F11 in Office applications—legitimate documents rarely contain macros unless you work in specialized environments. Delete any documents containing unexpected macro code.
Check Browser Extensions and Certificates
Open each web browser you use and review installed extensions. Remove any you don't recognize or didn't intentionally install. Then check your certificate store: press Windows+R, type certmgr.msc, and examine the Trusted Root Certification Authorities. Advanced attackers sometimes install rogue certificates to intercept encrypted traffic. Delete any certificates from issuers you don't recognize, particularly those with suspicious names or issued to localhost.
Reset All Passwords from a Clean Device
Because this RAT has keylogging capabilities and may have captured your credentials, assume all passwords entered while infected are compromised. Using a different, known-clean device (smartphone, tablet, or another computer), change passwords for all important accounts: email, banking, social media, work systems, and password managers. Enable two-factor authentication wherever possible to add an additional security layer.
Monitor for Signs of Persistence
After completing removal steps and rebooting normally, watch your system closely for the next few days. Monitor network activity using Resource Monitor (resmon.exe) and look for unexpected outbound connections. Check Task Manager for unusual processes consuming CPU or network resources. Run additional scans with updated security tools daily for the first week. If suspicious activity returns, the infection may be more deeply rooted than manual removal can address.
Consider Professional Forensic Cleaning
Given the sophisticated nature of this threat and its association with targeted espionage campaigns, strong consideration should be given to professional malware removal and forensic analysis. Sophisticated RATs often deploy multiple persistence mechanisms, and incomplete removal can leave backdoors that allow reinfection. If your computer contains sensitive business data, intellectual property, or you believe you were specifically targeted, professional analysis can determine the full scope of compromise and ensure complete eradication.
Prevention
- Maintain rigorous patch management. Keep Windows, Microsoft Office, web browsers, and all third-party applications updated with the latest security patches. Many RAT infections exploit known vulnerabilities that have available fixes. Enable automatic updates where possible, and schedule regular manual checks for critical software that doesn't auto-update.
- Implement strict email security practices. Be extremely skeptical of unsolicited emails, even when they appear to come from known contacts. Verify unexpected attachments or links through a secondary communication channel before opening. Never enable macros in Office documents unless you're absolutely certain of their legitimacy and necessity. Configure Outlook or other email clients to block automatic macro execution.
- Deploy endpoint detection and response (EDR) tools. Traditional antivirus struggles with memory-resident threats like Unidentified 125. EDR solutions monitor behavior patterns, memory allocations, and API calls, detecting malicious activity even when no file is written to disk. For business environments or high-value targets, EDR represents a significant security upgrade over signature-based antivirus alone.
- Use application whitelisting where feasible. Configure Windows AppLocker or similar tools to restrict execution to known-good applications from trusted publishers. While this requires more administrative overhead, it effectively blocks most malware by default, requiring explicit authorization before any new executable can run. This is particularly valuable in managed business environments.
- Educate yourself about social engineering tactics. Because targeted malware often relies on manipulation rather than technical exploits, understanding attacker psychology is crucial. Learn to recognize urgency-based manipulation, authority impersonation, and pretexting. When something feels off about an email, call, or request, trust that instinct and verify through independent channels.
- Segment your network properly. Don't operate sensitive work systems on the same network as IoT devices, guest machines, or personal computers. Use separate VLANs, properly configured firewalls, and zero-trust principles to limit lateral movement if one system becomes compromised. A RAT infection on an isolated guest network poses far less risk than one on your primary business network with access to file servers and databases.
- Implement comprehensive logging and monitoring. Configure Windows Event Logging to capture detailed security events, particularly around PowerShell execution, process creation, and network connections. Use centralized log collection and analysis tools to identify anomalous behavior patterns that might indicate compromise. Many RAT infections go undetected for months simply because no one is watching for the warning signs.
- Maintain offline backups of critical data. Ransomware and data theft often accompany RAT infections. Keep regular backups of important files on external drives or backup services, with at least one completely offline copy (not network-attached) that malware cannot access. This ensures you can recover from infection without paying ransoms or suffering permanent data loss.
Bring It In
Unidentified 125 represents a category of threat beyond what most homeowners or small businesses can effectively handle with free tools and online tutorials. This is targeted malware designed by skilled developers specifically to evade detection and analysis. Its association with the Dropping Elephant threat actor suggests potential espionage motives—meaning the attackers aren't just after credit card numbers, but potentially intellectual property, trade secrets, confidential communications, and strategic intelligence.
If you've discovered this threat on your system, or if you're experiencing suspicious behavior that malware scans haven't resolved, bring your computer to Computer Repair Roswell at 1235 Woodstock Road. We have the forensic tools and expertise to identify sophisticated infections, remove them completely, and help you understand how the compromise occurred so you can prevent recurrence. Call us at (770) 667-1617 to schedule an appointment, or stop by during business hours. We serve Roswell, Alpharetta, Sandy Springs, and the greater North Atlanta area. Your security and privacy matter—let professionals with years of malware analysis experience handle threats designed to defeat automated tools.