{ "id": "d51274a7-9df7-4b37-8b10-6ac6fb9cba9f", "created_at": "2026-04-06T00:17:35.332153Z", "updated_at": "2026-04-10T03:33:54.544986Z", "deleted_at": null, "sha1_hash": "fb6cf9ea34db6270ac980049fbd3e977bcf0f486", "title": "New PatchWork Spearphishing Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1471605, "plain_text": "New PatchWork Spearphishing Attack\r\nPublished: 2019-10-22 · Archived: 2026-04-05 23:21:37 UTC\r\nRecently, a somewhat more elaborated phishing has caught our attention at Lab52, it consists on a malicious office\r\ndocument of a real article from Samaa.tv published on 07-10-2019, one of the most important media in Pakistan.\r\nThe article used in this campaign is related to the current rise of tension in the geopolitical Indian-Pakistani\r\nconflict with Kashmir. The headline of the article is: “India to become center of extremism under Modi: AJK PM”\r\n([1]).\r\nIllustration 1: Headlines used in the Campaign\r\nThe document, with name “India’s_Extremisms_Under_Mobi.docx” and hash\r\n“167062593cb9e42a404dc9c8a0347e74888712a1256731724417e6f1d411cbbb” was written in English, an official\r\nlanguage for both countries. The startling headline selected in the campaign tries to attract the attention and\r\ninterest of the Pakistani and Indian people through the social fear. So the main target would be more focused to the\r\nPakistani victims to download the malicious document. At the moment, Delhi and Islamabad claim the control of\r\nthe whole Kashmir area. However, each public administration manage a concrete area of the region ([2]) ([3]).\r\nhttps://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nPage 1 of 5\n\nIllustration 2: External Kashmir’s influence\r\nChina is also involved in this geopolitical scenario as China is carrying out an important investment in Pakistan,\r\nespecially in the “China-Pakistan Economic Corridor”. A public officer from Beijing declared that if there is any\r\nunacceptable geostrategic movement from India, China would defend the legal right of Pakistan in the Kashmir’s\r\narea ([3]).\r\nIllustration 3: China Pakistan Economic corridor\r\nhttps://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nPage 2 of 5\n\nThe economic and trade geopolitical interests of China in Pakistan are highly relevant. Currently, it is relevant the\r\ninvestments of China in Pakistan to keep developing the China \u0026 Pakistan economic which will join to the\r\nOBOR’s route until the Gwadar and Karachi Port ([4]). The Indian claim to control of the whole Kashmir area,\r\nmeans an important approach of India to the Economic Corridor of China-Pakistan, this geopolitical situation\r\nprovokes discomfort to both partners as their logistical project would be in danger to be disrupted. As it is showed;\r\nChina, Pakistan and India are showing more interests in the Kashmir area.\r\nThe document appeared in public sources around 15-10-2019 and the internal data of the document dates from the\r\n12-10-2019 so it seems a recent campaign. When the document is opened, the MSOffice Word editor process is\r\nconstantly suspended and acts in an unstable way. Analyzing in depth the document, it can be observed that it\r\ncontains a file called image1.eps that corresponds to a Flash element of the document that exploits the adobe Flash\r\nvulnerability known as “CVE-2017-0261”.\r\nIllustration 4: Dropped files by the document\r\nThe exploit executed by the document contains a shellcode that dumps into the folder\r\n“C:\\ProgramData\\Microsoft\\DeviceSync” 3 executable files, two of them related to VMWare, and one named\r\n“MSBuild.exe”. After creating these files, the shellcode runs the binary named “VMWareCplLauncher.exe”..\r\nAs described in this Unit42 report [6], the executable “VMWareCplLauncher.exe” is a signed binary from\r\nVMWare and the DLL is also a legitimate part of VMWare, which is automatically loaded by the executable, and\r\nhas been modified to create in this case two scheduled tasks:\r\nIllustration 5: Tasks created by VMWareCplLauncher.exe\r\nIllustration 6: Second binary path\r\nhttps://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nPage 3 of 5\n\nThe first task, points to the yet seen executable “MSBuild.exe” and the second to a binary that isn’t generated at\r\nany time of the infection and that could point to a next stage of infection that may be downloaded after a “recon”\r\nof the infected machine made by this fist stage. After a minute, the task programmed with the name “Windows\r\nUpdate…” launches the MSBuild.exe binary, which consists of a first stage trojan, with a multitude of capabilities\r\ndescribed below.\r\nThis sample contacts the domain “yetwq.twilightparadox.com” through the HTTP protocol to which constantly\r\nsends information collected from the victim computer, together with the parameter “crc=e3a6” which is\r\n“hardcoded” in its logic.\r\nIllustration 7: Malware traffic with it’s C2\r\nThe response of the server is checked in its logic, in search of one of the following numbers “4, 5, 8, 13, 23, 33”\r\nwhich correspond to different commands related to the download and execution of other binaries, keyboard\r\nmonitoring, sending screenshots to the command and control server or theft of files with the following list of\r\nextensions: “doc:docx:pdf:ppt:pptx:jpg:jpeg:png:rtf:txt:7z:rar:zip:docm:msg:wps:xps:pptm”.\r\nIllustration 8: Command switch/case on the sample\r\nhttps://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nPage 4 of 5\n\nBoth its capabilities and its code are practically the same as those described by Unit42 in reference to the\r\nBadNews threat. In the same way, the TTPs of the entire infection chain coincide with those described in several\r\nreports in relation to campaigns that have been attributed to the Patchwork group also known as “Dropping\r\nElephant” or “APT-C-09”.\r\nFurthermore, due to the characteristics of the campaign and the current geopolitical scenario in the area, it seems\r\nthat its main targets could be located in Pakistan and would be linked to the Chinese-Pakistani Economic Corridor\r\n(CPEC) route.\r\nIOCs:\r\n167062593cb9e42a404dc9c8a0347e74888712a1256731724417e6f1d411cbbb\r\n6b656dc98773255cbc3592122db6487326e39b8e01966cca174dde87e72f82ec\r\n5f5a1af57872610aa692ee3d0fba4a0171c2ec1a8cc3cf45f21f52caa2ab9041\r\n31c913899d50d78f2d7d9657e7534bd36819ec9571566216f1c963bf605417f7\r\nyetwq.twilightparadox.com\r\n185.161.208.252\r\nReferences:\r\n[1] https://www.samaa.tv/news/2019/10/india-to-become-center-of-extremism-under-modi-ajk-pm/\r\n[2] https://www.bbc.com/news/world-asia-india-49737886\r\n[3] https://www.dw.com/en/pakistan-thanks-china-for-support-on-kashmir-issue/a-50745277\r\n[4]https://www.dw.com/en/belt-and-road-forum-is-the-china-pakistan-economic-corridor-failing/a-48473486\r\n[5] https://attack.mitre.org/groups/G0040/\r\n[6] https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nSource: https://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nhttps://lab52.io/blog/new-patchwork-campaign-against-pakistan/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/" ], "report_names": [ "new-patchwork-campaign-against-pakistan" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434655, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb6cf9ea34db6270ac980049fbd3e977bcf0f486.pdf", "text": "https://archive.orkl.eu/fb6cf9ea34db6270ac980049fbd3e977bcf0f486.txt", "img": "https://archive.orkl.eu/fb6cf9ea34db6270ac980049fbd3e977bcf0f486.jpg" } }