{ "id": "1a38ec02-c925-4c2a-9ff3-37b7d15f0e01", "created_at": "2026-04-06T00:22:00.24696Z", "updated_at": "2026-04-10T03:33:54.619031Z", "deleted_at": null, "sha1_hash": "8973b9f6f780afa628c0a11c8253a4af726f2ca1", "title": "PatchWork’s new assault Weapons report — EyeShell Weapons Disclosure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2486627, "plain_text": "PatchWork’s new assault Weapons report — EyeShell Weapons\r\nDisclosure\r\nBy Knownsec 404 team\r\nPublished: 2023-07-26 · Archived: 2026-04-05 21:12:05 UTC\r\n7 min read\r\nJul 26, 2023\r\nAuthor: K\u0026Nan@ Knownsec 404 Advanced Threat Intelligence Team\r\n中文版:https://paper.seebug.org/2074/\r\n1. PatchWork organization description\r\nThe Patchwork APT group, also known as Dropping Elephant, Chinastrats, Monsoon, Sarit, Quilted Tiger, APT-C-09, and ZINC EMERSON, was first discovered in December 2015, using a custom-built set of attack tools to\r\nlaunch attacks against multiple diplomats and economists. These attacks are usually carried out through spear\r\nphishing campaigns or watering hole attacks.\r\nIt is speculated that the group is run by a threat actor affiliated with a South Asian country, and the main targets\r\nare Pakistan, Sri Lanka, Nepal, Bangladesh, Myanmar, Cambodia and other countries.\r\nIn the past two years, we know that the Knownsec 404 Advanced Threat Intelligence Team has repeatedly\r\ndiscovered the attacks carried out by the organization against key domestic universities, research institutes,\r\nresearch institutes and other relevant research organizations and institutions in real time and in advance, and has\r\nsuccessfully warned these behaviors many times.\r\n2. Basic information about weapons\r\nSample sourceContinuous trackingSHA-2566e0db3722abb04be57696d12f4debf078f053d6e4839e621c864c325f20b8ca4Name of\r\nweaponEyeShellWeapon typeBackdoor programplatform-specificWindows\r\n3. Weapon function module diagram\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 1 of 13\n\n4. EyeShell Weapons overview\r\nRecently, the Knownsec 404 Advanced Threat Intelligence Team in the course of continuing to track PatchWork,\r\ndiscovered that a tool made of . NET developed a streamlined backdoor with a target framework of . NET\r\nFramework 4, in the tracking process we also found that the backdoor and BADNEWS (BADNEWS for the\r\nPatchWork organization dedicated to the name of the self-developed Trojan) co-appeared.\r\nSo we have reason to guess that the backdoor is used with BADNEWS, the backdoor uses the namespace Eye.In\r\norder to facilitate subsequent tracking and differentiation, we call this backdoor EyeShell according to the\r\nnamespace.\r\n4.1 EyeShell feature description\r\nEyeShell as whole is a very streamlined backdoor, presumably its version is v1.0.EyeShell can be divided into\r\nthree modules according to functional modules, which are as follows:\r\nInitialize the module\r\nThe initialization module is divided into two parts, and the interval point is whether C2 is online.\r\nThe first part is used for program initialization just as follows:\r\nThe mutex created by EyeShell is “fdghsdfgjhh”, which is used to ensure that the program runs only and avoid\r\ncompetition problems.\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 2 of 13\n\nThe C2 address and port are stored in array:\r\nchar[] C2Address = new char[13]\r\n {\r\n '1', '7', '2', '.', '8', '1', '.', '6', '1', '.',\r\n '2', '2', '4'\r\n };\r\nint[] C2Port = new int[4] { 2, 0, 2, 4 };\r\nSince the C2 information of EyeShell is saved using an array, a type conversion will be performed when making\r\nthe Connect (string hostname, int port) API call, and the address only needs to be cast when converting the string\r\ntype, and the way EyeShell handles ports is to traverse the power operation and accumulate:\r\nC2Port.Select((int t, int i) =\u003e t * Convert.ToInt32(Math.Pow(10.0, pop.Length - i - 1))).Sum()\r\nAll EyeShell network interactions are encrypted with AES-128:\r\nAESKey = {'q', 'w', 'e', 'r', '1', '2', '3', '4', 'a', 's', 'd', 'f', '5', '6', '7', '8'}\r\nAESIV = {'7', '3', '9', '1', '8', '4', '2', '6', '5', '7', '8', '9', '5', '1', '2', '3'}\r\nThe encryption method used to send data to the server is the same as the encryption method which is used to issue\r\ncommands on the server, and the processing flow is raw data (byte[]) — -\u003e To Base64 — -\u003e To AES-128 — -\u003e To\r\nBase64 (final sent data).\r\nThe second part is used for interactive initialization\r\nInteraction initialization requires a precondition that will occur if and only when C2 is online.\r\nThe main content of interaction initialization is to create a cmd .exe process and create an OutputData Received\r\nevent, redirect the standard output stream through OutputHandler event delegation, TCPStream write interface, so\r\nas to achieve the standard output stream to be redirected to the server operation, EyeShell will create TCPStream\r\nRead/Write two interfaces after completing the event delegation to support subsequent interactions.\r\nThe Write interface is associated with redirects in the OutputHandler event delegation.\r\nOn-line module\r\nAfter the initial initialization is complete, EyeShell will attempt to perform C2 online detection, and will not\r\nproceed until C2 is online, otherwise it will continue to detect whether C2 is online.\r\nIf the online information collected by C2 online EyeShell is UUID, UserName, and OSVersion, the online format\r\nis as follows:\r\n**\u003cUUID\u003e+ \"\\*\" +\u003cUserName\u003e+ \"\\*\" +\u003cOSVersion\u003e+\"\\*1.0\"**\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 3 of 13\n\nAmong them, according to experience, the hard-coded character *1.0 at the end of the online information is\r\nguessed to be the EyeShell version number v1.0.\r\nAfter completing the above operations, EyeShell enters the interaction module.\r\nInteractive modules\r\nThe interaction module is an infinite loop module, interaction begins by reading the instructions issued by the\r\nserver from the TCPStream Read interface.\r\nAccording to the command control list of EyeShell,we can determine that EyeShell supports thirteen\r\ninstructions, the relevant instructions and functions are as follows:\r\n“drive”\r\nThe meaning of this command is to enumerate and upload the logical volume name of the current host to the\r\nserver, and the upload format is as follows:\r\n\u003cvol1.Name\u003e +\"\\*\"+ \u003cvol2.Name\u003e +\"\\*\"+ … + \u003cvoln.Name\u003e\r\n“fileData”\r\nThis command is used to get the size of the specified file. If it is a directory, it gets the size of the subdirectory of\r\nthe current directory. If an exception occurs, 0 is returned.\r\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n“FileRec”\r\nThe meaning of this directive is to get the name of the current directory and its subdirectories. The upload format\r\nis:\r\nfo\\*l\\*d\\*er** **+\"\\*\"+ \u003cfolder1\u003e +\"\\*\"+ \u003cfolder2\u003e + …\r\n“FileList”\r\nThis directive refers to listing the current directory, subdirectories, and directory Chinese names, similar to the ls\r\ncommand upload format separated by *.\r\n“downFile”\r\nThis command refers to uploading the file specified in the victim host to the server, and the server returns “Done”\r\nif the long transmission is successful.\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 4 of 13\n\n“upload”\r\nThis command refers to downloading a file from the server and saving it to the path specified by the victim host,\r\nand returning “asdf” if successful.\r\n“Exec”\r\nThis instruction refers to the execution of the specified file in the victim host, and the execution returns “asdf” if\r\nthe execution is successful, otherwise the exception message is returned.\r\n“Delete”\r\nThis directive refers to deleting the specified file in the victim host, returning “asdf” after successful execution,\r\notherwise returning an exception message.\r\n“Rev”\r\nThis command is used to execute the command issued by the server and change the return body in the\r\nOutputHandler event delegation to be enabled, at which time the server and the client establish an interactive\r\nshell.\r\n“RevEnd”\r\nThis command is used to close the interactive shell, change the return state in the OutputHandler event delegation\r\nto close, and the server and the client close the interactive shell.\r\n“ScreenS”\r\nThis command is used to obtain a screenshot of the victim’s current desktop screen.\r\n“UplExe”\r\nThe directive has two actions:\r\nOperation 1: Deliver the file from the server and save it to the specified file name under the %temp% path of the\r\nvictim host, and execute it immediately.\r\nOperation 2: Get the ID of the current process and save the data in a %temp%ip1 .txt file.\r\n“Alive”\r\nNo action, putting the client into a wait state.\r\n4.2 EyeShell detailed description\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 5 of 13\n\nNetwork stream encryption process\r\nPress enter or click to view image in full size\r\nNetwork flow decryption process\r\nPress enter or click to view image in full size\r\nAES-128 KEY\u0026IV\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 6 of 13\n\nThe mutex creates and initializes C2\r\nPress enter or click to view image in full size\r\nThe mutex creates and initializes C2\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 7 of 13\n\nEvent delegate\r\nPress enter or click to view image in full size\r\nCreate a TcpStream read-write interface\r\nPress enter or click to view image in full size\r\nBuild and send go-live information\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 8 of 13\n\nInteraction portal\r\nPress enter or click to view image in full size\r\nGet a list of files\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 9 of 13\n\nObtain logical volume information\r\nPress enter or click to view image in full size\r\nFile upload\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 10 of 13\n\nGets the file size\r\nPress enter or click to view image in full size\r\nTake a screenshot\r\nPress enter or click to view image in full size\r\nFile saving execution and PID acquisition\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 11 of 13\n\nCreates the specified process\r\nPress enter or click to view image in full size\r\nDeletes the specified file\r\nPress enter or click to view image in full size\r\nStart the interactive shell\r\nPress enter or click to view image in full size\r\nGet directory information\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 12 of 13\n\nSource: https://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nhttps://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be" ], "report_names": [ "patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434920, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8973b9f6f780afa628c0a11c8253a4af726f2ca1.pdf", "text": "https://archive.orkl.eu/8973b9f6f780afa628c0a11c8253a4af726f2ca1.txt", "img": "https://archive.orkl.eu/8973b9f6f780afa628c0a11c8253a4af726f2ca1.jpg" } }