3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Patchwork

Patchwork

ID: 81828b40f940bba2999adf65d1ece45084441
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
India UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Dropping Elephant Monsoon
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. Ref: https://attack.mitre.org/groups/G0040/


Technique Technique name Tactics Evidence
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Patchwork attempted to use RDP to move laterally. · ref
T1027.001 Binary Padding TA0005
  • Obfuscated Files or Information: Binary Padding - Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes. · ref
T1027.002 Software Packing TA0005
  • Obfuscated Files or Information: Software Packing - A Patchwork payload was packed with UPX. · ref
T1027.005 Indicator Removal from Tools TA0005
  • Obfuscated Files or Information: Indicator Removal from Tools - Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - Patchwork has obfuscated a script with Crypto Obfuscator. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor." They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - A Patchwork file stealer can run a TaskScheduler DLL to add persistence. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • Process Injection: Process Hollowing - A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Patchwork ran a reverse shell with Meterpreter. Patchwork used JavaScript code and .SCT files on victim machines. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Patchwork used Visual Basic Scripts (VBS) on victim machines. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Patchwork removed certain files and replaced them so they could not be retrieved. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server. · ref
T1102.001 Dead Drop Resolver TA0011
  • Web Service: Dead Drop Resolver - Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - Patchwork used Base64 to encode C2 traffic. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Patchwork has used spearphishing with links to try to get users to click, download and open malicious files. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool). · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key. · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • Abuse Elevation Control Mechanism: Bypass User Account Control - Patchwork bypassed User Access Control (UAC). · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Password Stores: Credentials from Web Browsers - Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data. · ref
T1559.002 Dynamic Data Exchange TA0002
  • Inter-Process Communication: Dynamic Data Exchange - Patchwork leveraged the DDE protocol to deliver their malware. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Patchwork has used spearphishing with links to deliver files with exploits to initial victims. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading. · ref
T1587.002 Code Signing Certificates TA0042
  • Develop Capabilities: Code Signing Certificates - Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Patchwork has obtained and used open-source tools such as QuasarRAT. · ref
T1598.003 Spearphishing Link TA0043
  • Phishing for Information: Spearphishing Link - Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.