{
	"id": "57cc3869-6f56-4f37-b797-d542a3e48e4e",
	"created_at": "2026-04-06T00:12:22.695919Z",
	"updated_at": "2026-04-10T03:33:54.624129Z",
	"deleted_at": null,
	"sha1_hash": "3f7a7c93e4304ccd2cb1bd1a72496ad545f3e5a0",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 433226,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-02 11:25:01 UTC\r\nThe Patchwork attack group has been targeting more than just government-associated organizations. Our research into the\r\ngroup found that it’s been attacking a broad range of industries—including aviation, broadcasting, and finance—to drop\r\nback door Trojans.\r\nSymantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses\r\nChinese-themed content as bait to compromise its targets’ networks. Two security companies, Cymmetria and Kaspersky,\r\neach recently released reports on the campaign, most of which are in line with our observations.\r\n[click_to_tweet:1]\r\nTargets\r\nAs other researchers observed, Patchwork originally targeted governments and government-related organizations. However,\r\nthe group has since expanded its focus to include a broader range of industries.\r\nWhile most of the interest still lies in the public sector, more recent attacks were found targeting the following industries:\r\nAviation\r\nBroadcasting\r\nEnergy\r\nFinancial\r\nNon-governmental organizations (NGO)\r\nPharmaceutical\r\nPublic sector\r\nPublishing\r\nSoftware\r\nAccording to Symantec telemetry, targeted organizations are located in dispersed regions. Although approximately half of\r\nthe attacks focus on the US, other targeted regions include China, Japan, Southeast Asia, and the United Kingdom.\r\n[click_to_tweet:2]\r\nAttack vector\r\nOur first observation of an attempted attack related to this campaign dates back to November 2015, although Symantec\r\ntelemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier.\r\nThe threat actor mainly relies on a legitimate mailing list provider to send newsletters to a select number of targets. The\r\nnewsletter includes a link to the attacker’s website, which has content focusing on topics related to China to draw the target’s\r\ninterest. These websites are hosted on the same domains as the mailing list provider. Each website is customized for the\r\nintended target, and contains specialized topics related to the targeted industries.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 7\n\nFigure 1. A customized website with content related to a Chinese public hospital\r\nFigure 2. A customized website with content related to the Chinese military\r\nThe malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. The\r\ndomains are registered under names that pose as legitimate sources for Chinese intelligence. Several domains predominantly\r\nused in the attacks are hosted on two servers with the IP addresses 212.83.146.3 and 37.58.60.195.\r\nThese websites host two different types of malicious files: a PowerPoint file (.pps) and a rich text file with a Word .doc\r\nextension.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 7\n\nThe PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution\r\nVulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in\r\nOctober 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. We have also confirmed an older flaw being exploited, the Microsoft\r\nWindows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).\r\nFrom what we can confirm, the documents contain copies of publicly available content taken from legitimate websites.\r\nTopics range from military/defense, hospital, naval disputes, and even malware removal.\r\nMalicious PowerPoint files\r\nThe .pps files likely exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114). However, the exploit for this particular campaign is a slight variation of similar exploits observed in the past.\r\nThe exploit takes advantage of how the patch is designed to only warn users, rather than completely prevent malware\r\ninfections without user interaction.\r\nNothing happens when the file is opened on PowerPoint 2016. However, when the file is opened on older versions of\r\nPowerPoint, it displays a security warning asking whether the user wants to open driver.inf depending on the environment,\r\nsuch as the version of the operating system and the patch applied.\r\nFigure 3. Opening the .pps file on PowerPoint versions earlier than 2016 displays this prompt\r\nIf the user chooses to open the file, the computer will be compromised. If the user chooses not to open it, the computer will\r\nnot be infected. However, Backdoor.Enfourks will be dropped, though not executed, into the temporary directory when the\r\n.pps file is opened. This poses a risk of compromise to the intended target.\r\nWe have confirmed this issue on all versions of PowerPoint tested in the lab. Users should manually remove any potential\r\ndropped files which would typically be named “sysvolinfo.exe”.\r\nMalicious Word .doc file\r\nBesides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that\r\nthese files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop\r\nBackdoor.Steladok.\r\nMain payloads\r\nBoth the .doc and .pps files mainly drop two malware families. Typically, the PowerPoint Slide file drops\r\nBackdoor.Enfourks, an AutoIT executable which is usually bloated with meaningless data and targets mainly 32-bit systems.\r\nThe .doc file drops Backdoor.Steladok.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 7\n\nWhile both back door Trojans wait for commands from the threat actor, they can search for files and upload them to the\r\nspecified server once activated. For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines.\r\nThe Trojans confirm an internet connection by pinging Baidu’s server and create a registry entry with the vendor’s name to\r\nrun every time Windows starts. As two file types are used to deliver two different payloads, there are likely multiple\r\nindividuals or groups contributing to the malware development efforts.\r\nMitigation\r\nUsers should adhere to the following advice to prevent Patchwork’s attacks from succeeding:\r\nDelete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing\r\nemails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files.\r\nKeep your operating system and other software updated. Software updates will frequently include patches for newly\r\ndiscovered security vulnerabilities which are frequently exploited by attackers.\r\nKeep your security software up to date to protect yourself against any new variants of this malware.\r\nProtection\r\nSymantec and Norton products detect Patchwork’s malware as follows:\r\nAntivirus:\r\nBloodhound.RTF.3\r\nTrojan.PPDropper\r\nBackdoor.Enfourks\r\nBackdoor.Steladok\r\nBackdoor.Steladok!g1\r\nTrojan.Gen.2\r\nInfostealer\r\nIntrusion prevention system:\r\nSystem Infected: Backdoor.Steladok Activity\r\nSystem Infected: Backdoor.Enfourks Activity\r\nIndicators of compromise\r\nThe following details suspicious domains, IP addresses, and files, which may indicate that Patchwork has compromised a\r\ncomputer:\r\nSuspected domains and IP addresses:\r\nchinastrats.com\r\nepg-cn.com\r\nextremebolt.com\r\ninfo81.com\r\nlujunxinxi.com\r\nmilitaryworkerscn.com\r\nmilresearchcn.com\r\nmodgovcn.com\r\nnewsnstat.com\r\nnudtcn.com\r\nsocialfreakzz.com\r\n81-cn.net\r\ncnmilit.com\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 7\n\nnduformation.com\r\nexpatchina.info\r\ninfo81.com\r\nclimaxcn.com\r\nexpatchina.info\r\nmiltechcn.com\r\nmiltechweb.com\r\nsecurematrixx.com\r\n46.166.163.242\r\n212.129.13.110\r\nDetection name MD5 File name\r\nTrojan.PPDropper 0bbff4654d0c4551c58376e6a99dfda0  \r\nTrojan.PPDropper 1de10c5bc704d3eaf4f0cfa5ddd63f2d MilitaryReforms2.pps\r\nTrojan.PPDropper 2ba26a9cc1af4479e99dcc6a0e7d5d67 2016_China_Military_PowerReport.pps\r\nTrojan.PPDropper 375f240df2718fc3e0137e109eef57ee PLA_UAV_DEPLOYMENT.pps\r\nTrojan.PPDropper 38e71afcdd6236ac3ad24bda393a81c6 militarizationofsouthchinasea_1.pps\r\nTrojan.PPDropper 3e9d1526addf2ca6b09e2fdb5fd4978f How_to_easily_clean_an_infected_computer.pps\r\nTrojan.PPDropper 475c29ed9373e2c04b7c3df6766761eb PLA_Forthcoming_Revolution_in_Doctrinal_Affairs.pps\r\nTrojan.PPDropper 4dbb8ad1776af25a5832e92b12d4bfff maritime_dispute.pps\r\nTrojan.PPDropper 4dbb8ad1776af25a5832e92b12d4bfff Clingendael_Report_South_China_Sea.pps\r\nTrojan.PPDropper 543d402a56406c93b68622a7e392728d 2016_China_Military_PowerReport.pps\r\nTrojan.PPDropper 551e244aa85b92fe470ed2eac9d8808a Assessing_PLA_Organisational_Reforms.pps\r\nTrojan.PPDropper 6877e60f141793287169125a08e36941 Clingendael_Report_South_China_Sea.pps\r\nTrojan.PPDropper 6d8534597ae05d2151d848d2e6427f9e cn-lshc-hospital-operations-excellence.pps\r\nTrojan.PPDropper 74fea3e542add0f301756581d1f16126 Clingendael_Report_South_China_Sea_20160517Downloaded.pp\r\nTrojan.PPDropper 812a856288a03787d85d2cb9c1e1b3ba  \r\nTrojan.PPDropper 8f7b1f320823893e159f6ebfb8ce3e78  \r\nTrojan.PPDropper b163e3906b3521a407910aeefd055f03 china_security_report_2016.pps\r\nTrojan.PPDropper d456bbf44d73b1f0f2d1119f16993e93  \r\nTrojan.PPDropper e7b4511cba3bba6983c43c9f9014a49d Chinastrats.com netflix2.pps\r\nTrojan.PPDropper ebfa776a91de20674a4ae55294d85087 Chinese_Influence_Faces_2.pps\r\nTrojan.PPDropper eefcef704b1a7bea6e92dc8711cfd35e Top_Five_AF.pps\r\nTable 1. Malicious PowerPoint slides associated with this campaign\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 7\n\nDetection name MD5 File name\r\nTrojan.Mdropper 2099fcd4a81817171649cb38dac0fb2a  \r\nTrojan.Mdropper 3d852dea971ced1481169d8f66542dc5 China_Vietnam_Military_Clash.doc\r\nTrojan.Mdropper 4ff89d5341ac36eb9bed79e7afe04cb3 Cyber_Crime_bill.doc\r\nTrojan.Mdropper 7012f07e82092ab2daede774b9000d64 china_report_EN_web_2016_A01.doc\r\nTrojan.Mdropper 735f0fbe44b70e184665aed8d1b2c117 Cyber_Crime_bill.doc\r\nTrojan.Mdropper 7796ae46da0049057abd5cfb9798e494  \r\nTrojan.Mdropper e5685462d8a2825e124193de9fa269d9 PLA_Forthcoming_Revolution_in_Doctrinal_Affairs2.doc\r\nTrojan.Mdropper f5c81526acbd830da2f533ae93deb1e1 Job_offers.doc\r\nTable 2. Malicious rich text files associated with this campaign\r\nDetection name MD5\r\nBackdoor.Steladok 0f09e24a8d57fb8b1a8cc51c07ebbe3f\r\nBackodor.Enfourks 233a71ea802af564dd1ab38e62236633\r\nBackdoor.Steladok 2c0efa57eeffed228eb09ee97df1445a\r\nBackodor.Enfourks 3ac28869c83d20f9b18ebbd9ea3a9155\r\nTrojan.Gen.2 465de3db14158005ede000f7c0f16efe\r\nTrojan.Gen.2 4fca01f852410ea1413a876df339a36d\r\nBackodor.Enfourks 61e0f4ecb3d7c56ea06b8f609fd2bf13\r\nBackodor.Enfourks 6b335a77203b566d92c726b939b8d8c9\r\nBackodor.Enfourks a4fb5a6765cb8a30a8393d608c39d9f7\r\nBackodor.Enfourks b594a4d3f7183c3af155375f81ad6c3d\r\nBackodor.Enfourks b7433c57a7111457506f85bdf6592d18\r\nBackodor.Enfourks b7433c57a7111457506f85bdf6592d18\r\nBackodor.Enfourks c575f9b40cf6e6141f0ee40c8a544fb8\r\nBackodor.Enfourks d8102a24ca00ef3db7d942912765441e\r\nBackdoor.Steladok f47484e6705e52a115a3684832296b39\r\nBackodor.Enfourks f7ce9894c1c99ce64455155377446d9c\r\nInfostealer ffab6174860af9a7c3b37a7f1fb8f381\r\nTable 3. Payloads associated with this campaign\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 7\n\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-\r\n77bd-41e0-8269-f2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-\r\nf2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775792034,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f7a7c93e4304ccd2cb1bd1a72496ad545f3e5a0.pdf",
		"text": "https://archive.orkl.eu/3f7a7c93e4304ccd2cb1bd1a72496ad545f3e5a0.txt",
		"img": "https://archive.orkl.eu/3f7a7c93e4304ccd2cb1bd1a72496ad545f3e5a0.jpg"
	}
}