{
	"id": "a50d96f3-48a5-4f98-9e41-80ceda307c49",
	"created_at": "2026-04-06T00:11:57.381002Z",
	"updated_at": "2026-04-10T13:12:55.152733Z",
	"deleted_at": null,
	"sha1_hash": "264a5068e56b9c89284a1465823526f2c113d0ba",
	"title": "Patchwork, Dropping Elephant - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81678,
	"plain_text": "Patchwork, Dropping Elephant - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 21:48:03 UTC\r\nHome \u003e List all groups \u003e Patchwork, Dropping Elephant\r\n APT group: Patchwork, Dropping Elephant\r\nNames\r\nPatchwork (Cymmetria)\r\nDropping Elephant (Kaspersky)\r\nChinastrats (Kaspersky)\r\nAPT-C-09 (Qihoo 360)\r\nMonsoon (Forcepoint)\r\nQuilted Tiger (CrowdStrike)\r\nTG-4410 (SecureWorks)\r\nZinc Emerson (SecureWorks)\r\nATK 11 (Thales)\r\nThirsty Gemini (Palo Alto)\r\nCapricorn Organisation (?)\r\nMaha Grass (?)\r\nG0040 (MITRE)\r\nCountry India\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription (Cymmetria) Patchwork is a targeted attack that has infected an estimated 2,500\r\nmachines since it was first observed in December 2015. There are indications of\r\nactivity as early as 2014, but Cymmetria has not observed any such activity first\r\nhand.\r\nPatchwork targets were chosen worldwide with a focus on personnel working on\r\nmilitary and political assignments, and specifically those working on issues relating\r\nto Southeast Asia and the South China Sea. Many of the targets were governments\r\nand government-related organizations.\r\nThe code used by this threat actor is copy-pasted from various online forums, in a\r\nway that reminds us of a patchwork quilt –hence the name we’ve given the\r\noperation.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1\r\nPage 1 of 3\n\nIn active victim systems, Patchwork immediately searches for and uploads\ndocuments to their C\u0026C, and only if the target is deemed valuable enough, proceeds\nto install a more advanced second stage malware.\nThis group seems to be associated with Confucius.\nObserved\nSectors: Aviation, Defense, Energy, Financial, Government, IT, Media, NGOs,\nPharmaceutical, Think Tanks.\nCountries: Bangladesh, Bhutan, Cambodia, China, Israel, Japan, Myanmar, Nepal,\nPakistan, South Korea, Sri Lanka, Turkey, UK, USA and Middle East and Southeast\nAsia.\nTools used\nAndroRAT, ArtraDownloader, AutoIt backdoor, BADNEWS, Bahamut, Bozok,\nBrute Ratel, Crypta, LokiBot, NDiskMonitor, PGoShell, PowerSploit, PubFantacy,\nQuasarRAT, Ragnatela, SocksBot, TINYTYPHON, Unknown Logger, WSCSPL.\nOperations performed\n2015\nThe attack was detected as part of a spear phishing against a\ngovernment organization in Europe in late May 2016. The target was\nan employee working on Chinese policy research and the attack vector\nwas a PowerPoint presentation file. The content of the presentation\nwas on issues relating to Chinese activity in the South China Sea.\nJan 2018\nThe malicious documents seen in recent activity refer to a number of\ntopics, including recent military promotions within the Pakistan Army,\ninformation related to the Pakistan Atomic Energy Commission, as\nwell as Pakistan’s Ministry of the Interior.\nMar 2018\nTargeting US Think Tanks\nIn March and April 2018, Volexity identified multiple spear phishing\ncampaigns attributed to Patchwork, an Indian APT group also known\nas Dropping Elephant. This increase in threat activity was consistent\nwith other observations documented over the last few months in blogs\nby 360 Threat Intelligence Center analyzing attacks on Chinese\norganizations and Trend Micro noting targets in South Asia.\nNov 2021\nPatchwork APT caught in its own web\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1\nPage 2 of 3\n\nJul 2023\nPatchWork’s new assault Weapons report — EyeShell Weapons\nDisclosure\nJul 2024\nThe Patchwork group has updated its arsenal, launching attacks for the\nfirst time using Brute Ratel C4 and an enhanced version of PGoShell\nJun 2025\nDropping Elephant APT Group Targets Turkish Defense Industry With\nNew Campaign and Capabilities: LOLBAS, VLC Player, and\nEncrypted Shellcode\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1"
	],
	"report_names": [
		"showcard.cgi?u=5ead2470-4d43-44e9-9306-de226d2477e1"
	],
	"threat_actors": [
		{
			"id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9",
			"created_at": "2022-10-25T16:07:23.38079Z",
			"updated_at": "2026-04-10T02:00:04.574399Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "ETDA:Bahamut",
			"tools": [
				"Bahamut",
				"DownPaper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ca292585-950c-400f-b632-c19fa3491fe1",
			"created_at": "2022-10-25T15:50:23.599765Z",
			"updated_at": "2026-04-10T02:00:05.417659Z",
			"deleted_at": null,
			"main_name": "MONSOON",
			"aliases": null,
			"source_name": "MITRE:MONSOON",
			"tools": [
				"TINYTYPHON",
				"BADNEWS",
				"Unknown Logger",
				"AutoIt backdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88854a9f-641a-4412-89db-449b4d5cbc51",
			"created_at": "2022-10-25T16:07:23.963599Z",
			"updated_at": "2026-04-10T02:00:04.810023Z",
			"deleted_at": null,
			"main_name": "Operation HangOver",
			"aliases": [
				"G0042",
				"Monsoon",
				"Operation HangOver",
				"Viceroy Tiger"
			],
			"source_name": "ETDA:Operation HangOver",
			"tools": [
				"AutoIt backdoor",
				"BADNEWS",
				"BackConfig",
				"JakyllHyde",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f99641e0-2688-47b0-97bc-7410659d49a0",
			"created_at": "2023-01-06T13:46:38.802141Z",
			"updated_at": "2026-04-10T02:00:03.106084Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "MISPGALAXY:Bahamut",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8",
			"created_at": "2022-10-25T16:07:23.482856Z",
			"updated_at": "2026-04-10T02:00:04.627414Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"G0142"
			],
			"source_name": "ETDA:Confucius",
			"tools": [
				"ApacheStealer",
				"ByeByeShell",
				"ChatSpy",
				"Confucius",
				"MY24",
				"Sneepy",
				"remote-access-c3",
				"sctrls",
				"sip_telephone",
				"swissknife2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c",
			"created_at": "2022-10-25T15:50:23.472432Z",
			"updated_at": "2026-04-10T02:00:05.352882Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"Confucius",
				"Confucius APT"
			],
			"source_name": "MITRE:Confucius",
			"tools": [
				"WarzoneRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434317,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/264a5068e56b9c89284a1465823526f2c113d0ba.pdf",
		"text": "https://archive.orkl.eu/264a5068e56b9c89284a1465823526f2c113d0ba.txt",
		"img": "https://archive.orkl.eu/264a5068e56b9c89284a1465823526f2c113d0ba.jpg"
	}
}