In early March 2019, ASERT Researchers uncovered a credential harvesting campaign targeting mostly South Asian governments. The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military. Interestingly, at least one IP address used in the campaign was previously associated with a suspected Indian APT group, and one domain was previously attributed to Chinese APT activity. It is unclear the purpose of the overlap in the infrastructure, but it’s possible the actors used it as a diversionary tactic.