{ "id": "5be21914-f1ad-451e-858a-75bd8553b29f", "created_at": "2026-04-06T03:37:07.19055Z", "updated_at": "2026-04-10T03:33:54.60761Z", "deleted_at": null, "sha1_hash": "8369be75e8762967db74a78c0d8702ee6a31819c", "title": "Untangling the Patchwork Cyberespionage Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92511, "plain_text": "Untangling the Patchwork Cyberespionage Group\r\nBy Daniel Lunghi, Jaromir Horejsi, Cedric Pernet ( words)\r\nPublished: 2017-12-11 · Archived: 2026-04-06 03:22:40 UTC\r\nUpdated as of October 9, 2018, 7:24PM PDT to remove Socksbot and update the appendix and technical brief;\r\nhat tip to Michael Yip of Accenture Security for an earlier research on Socksbot.\r\nPatchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and\r\ngovernment agencies that has since added businesses to their list of targets. Patchwork’s moniker is from its\r\nnotoriety for rehashing off-the-rack tools and malware for its own campaigns. The attack vectors they use may not\r\nbe groundbreaking—what with other groups exploiting zero-days or adjusting their tacticspredictions—but the\r\ngroup's repertoire of infection vectors and payloads makes them a credible threat.\r\nWe trailed Patchwork’s activities over the course of its campaigns in 2017. The diversity of their methods is\r\nnotable—from the social engineering hooks, attack chains, and backdoors they deployed. They’ve also joined the\r\nDynamic Data Exchangenews article (DDE) and Windows Script Component (SCT) abuse bandwagons and\r\nstarted exploiting recently reported vulnerabilities. These imply they’re at least keeping an eye on other threats\r\nand security flaws that they can repurpose for their own ends. Also of note are its attempts to be more cautious and\r\nefficient in their operations.\r\nWho are Patchwork’s targets?Patchwork targeted multiple sectors in China and South Asia. We also saw spear-phishing emails sent to organizations in the U.K., Turkey, and Israel.\r\nThe targets weren’t just high-profile personalities, but also business-to-consumer (B2C) online retailers,\r\ntelecommunications and media companies, aerospace researchers, as well as financial institutions (i.e., banks).\r\nThey also targeted the United Nations Development Programme.\r\nThe group's motivations for targeting enterprises weren’t clear; we don’t construe them to be cybercriminal in\r\nnature, but espionage-related. Based on the malware used, they are more after mission-critical or confidential data\r\nthan information they can monetize.\r\nWhat did they use to infect their targets’ systems?\r\nSpear-phishing emails are their staple doorways into their targets, using emails that contained website redirects,\r\ndirect links, or malicious attachments. For instance, Patchwork spoofed a news site to divert the visitors to socially\r\nengineered, malware-ridden documents. Spear-phishing emails with direct links to weaponized documents were\r\nhosted on Patchwork-owned servers whose domains are similar to legitimate sites. They misused email and\r\nnewsletter distribution services to send these spammed messages.\r\nPatchwork employed drive-by download tactics by setting up a fake Youku Tudou website, a social video platform\r\npopular in China. The would-be victim will be urged to download and execute a fake Adobe Flash Player update,\r\nwhich is actually a variant of the xRAT Trojan.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/\r\nPage 1 of 4\n\nThe group also phished for credentials to hijack their targets’ emails and other online accounts. One of their\r\nphishing kits, for instance, copied a webpage from a legitimate web development company. The phishing pages\r\ncan only be visited via the links in emails sent to would-be victims; otherwise, the user is redirected to the benign,\r\nmimicked webpage.\r\nWhat kind of documents did Patchwork weaponize?Many of the documents we analyzed were from a directory\r\nPatchwork accidentally left open. The group used sociopolitical themes as social engineering hooks. The\r\ndocuments were laden with exploits for certain vulnerabilities:\r\nRich Text Format (RTF) files that trigger an exploit for CVE-2012-1856, patched via MS12-060 last\r\nAugust 2012. CVE-2012-1856 is a remote code execution (RCE) vulnerability in the Windows common\r\ncontrol MSCOMCTL, an ActiveX Control module\r\nPowerPoint Open XML Slide Show (PPSX) files exploiting Sandworm (CVE-2014-4114), an RCE\r\nvulnerability in Windows’ Object Linking and Embedding (OLE) feature patched last October 2014\r\nPowerPoint (PPT) file exploiting CVE-2017-0199, an RCE vulnerability in Microsoft Office’s Windows\r\nOLE, patched last April 2017\r\nPPSX files that exploit CVE-2017-8570, an RCE vulnerability in Microsoft Office patched last July 2017,\r\nwhich downloads a malicious Windows Script Component (SCT) file from a Patchwork-owned server then\r\ndelivers the xRAT malware\r\nRTF files exploiting CVE-2015-1641, a memory corruption vulnerability in Microsoft Office patched last\r\nApril 2015. After execution, it drops a dynamic-link library (DLL) that contains the Badnews backdoor,\r\nwhich is loaded and executed using DLL side-loading technique\r\nApart from exploit-laden documents, Patchwork also misused DDE to retrieve and execute xRAT in the infected\r\nmachine. They also sent a document embedded with an executable, which downloads a decoy document and a\r\nbackdoor, then executes the latter.\r\nWhat were their payloads?\r\nPatchwork deployed a miscellany of backdoors and information stealers, some of which they used exclusively:\r\nxRAT—a remote access tool whose source code is available on Github, which means anyone can clone and\r\ncompile the project\r\nNDiskMonitor—a custom backdoor we believe to be Patchwork’s own; it can list the infected machine’s\r\nfiles and logical drives, as well as download and execute a file from a specified URL\r\nBadnews—a backdoor with potent information-stealing and file-executing capabilities; it can also monitor\r\nUSB devices and copy targeted files to the C\u0026C server\r\nFile Stealers—Taskhost Stealer and Wintel Stealer target Microsoft Word, Excel, and PowerPoint\r\ndocuments (.doc, .docx, .xls, .xlsx, .ppt, and .pptx), Portable Document Format (.pdf) and RTF files, as\r\nwell as email messages (.eml, .msg.); Patchwork also uses versions of file stealers written in AutoIt\r\nWhat were Patchwork’s operations like?\r\nWe found 30 to 40 IP addresses as well as domain names used by the group in 2017. Each server has a different\r\npurpose. Some are only meant to be C\u0026C servers that collect data sent by the file stealers, and no domain name\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/\r\nPage 2 of 4\n\npoints to those IP addresses. In some cases, the same server is used for C\u0026C communication while also acting as a\r\nwebsite hosting content copied from legitimate websites and propagating malware or weaponized documents.\r\nOther servers are used only to host phishing websites.\r\nThey misuse publicly available PHP scripts to retrieve files from the server without disclosing their real paths.\r\nWhile this could be for tracking purposes, it’s more likely this was to deter researchers from finding open\r\ndirectories. On multiple occasions, we observed them temporarily removing a file so it could not be retrieved.\r\nSometimes they replaced it with a legitimate file to dupe researchers. In some of their servers’ homepages, they\r\ndisplay a fake 302 redirection page to trick researchers into thinking the files are gone.\r\nWhat can organizations do?\r\nPatchwork is in a vicious cycle, given the group’s habit of rehashing tools and malware. The more those are used,\r\nthe likelier that they’d be incorporated in the group’s arsenal. The takeaway for enterprises? The gamut of tools\r\nand techniques at Patchwork’s disposal highlights the significance of defense in depth: arraying proactive defense\r\nto thwart threats at each level—from the gateways, endpointsproducts, and networksproducts to serversproducts.\r\nEnterprises should keep operating systems and applications updatednews article—or employ virtual patchingnews\r\narticle for legacy systems—to prevent security gaps and deter attackers from exploiting them. Firewallnews\r\narticle, sandboxnews article, as well as intrusion detection and prevention systemsproducts help detect red flags in\r\nthe network. Enforce the principle of least privilege: blacklist and secure the use of toolsnews- cybercrime-and-digital-threats usually reserved for system administrators, such as PowerShellnews article. Network\r\nsegmentationnews article and data categorizationnews article help thwart lateral movement and further data theft,\r\nwhile behavior monitoring and application control/whitelisting block anomalous routines executed by suspicious\r\nfiles. And more importantly, secure the email gatewaynews- cybercrime-and-digital-threats. Patchwork may only\r\nbe reusing vulnerability exploits and malware, but they’re tried-and-tested—it only takes a susceptible layer to\r\naffect the whole chain.\r\nOur in-depth analyses of Patchwork’s campaigns—infection vectors, the weaponized documents and malware\r\nthey deploy, and infrastructure—are in this technical brief. The indicators of compromise are in this appendix.\r\nTrend Micro Solutions\r\nTrend Microproducts™ Deep Discoveryproducts™ provides detection, in-depth analysis, and proactive response\r\nto today’s stealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to\r\nprotect organizations against targeted attacks and advanced threats through specialized engines,\r\ncustom sandboxingnews article, and seamless correlation across the entire attack lifecycle, allowing it to detect\r\nthreats delivered by Patchwork even without any engine or pattern update. Trend Micro™ Deep\r\nSecurityproducts™, Vulnerability Protectionproducts, and TippingPoint productsprovide virtual patching that\r\nprotects endpoints from threats that abuses unpatched vulnerabilities.\r\nPatchwork also uses email as an entry point, which makes securing the email gateway important. Trend Micro™\r\nHosted Email Securityproducts is a no-maintenance cloud solution that delivers continuously updated protection\r\nto stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the\r\nnetwork.  Trend Micro™ Deep Discovery™ Email Inspectorproducts and InterScan™ Web\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/\r\nPage 3 of 4\n\nSecurityproducts prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart\r\nProtection Suitesproducts deliver several capabilities that minimize the impact of Patchwork’s attacks.\r\nThese solutions are powered by the Trend Micro XGen™ securityproducts, which provides a cross-generational\r\nblend of threat defense techniques against a full range of threats for data centersproducts, cloud\r\nenvironmentsproducts, networksproducts, and endpointsproducts. It features high-fidelity machine learning to\r\nsecure the gatewayproducts and endpointproducts data and applications, and protects physical, virtual, and cloud\r\nworkloads.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/\r\nPage 4 of 4\n\nwell as What were Patchwork’s email messages operations (.eml, .msg.); Patchwork like? also uses versions of file stealers written in AutoIt\nWe found 30 to 40 IP addresses as well as domain names used by the group in 2017. Each server has a different\npurpose. Some are only meant to be C\u0026C servers that collect data sent by the file stealers, and no domain name\n Page 2 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/" ], "report_names": [ "untangling-the-patchwork-cyberespionage-group" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446627, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8369be75e8762967db74a78c0d8702ee6a31819c.pdf", "text": "https://archive.orkl.eu/8369be75e8762967db74a78c0d8702ee6a31819c.txt", "img": "https://archive.orkl.eu/8369be75e8762967db74a78c0d8702ee6a31819c.jpg" } }