The sub-techniques beta is now live! Read the release blog post for more info.


Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. [1] [2] [3] [4]

ID: G0040
Associated Groups: Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Version: 1.1
Created: 31 May 2017
Last Modified: 11 July 2019

Associated Group Descriptions

Name Description
Dropping Elephant [2] [5] [6] [4]
Chinastrats [5]
MONSOON MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. [7] [6]
Operation Hangover It is believed that the actors behind G0040 are the same actors behind Operation Hangover. [7] [8]

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[3]

Enterprise T1009 Binary Padding

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]

Enterprise T1088 Bypass User Account Control

Patchwork bypassed User Access Control (UAC).[1]

Enterprise T1059 Command-Line Interface

Patchwork ran a reverse shell with Meterpreter.[1]

Enterprise T1003 Credential Dumping

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[1]

Enterprise T1132 Data Encoding

Patchwork used Base64 to encode C2 traffic.[1]

Enterprise T1022 Data Encrypted

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[3]

Enterprise T1005 Data from Local System

Patchwork collected and exfiltrated files from the infected system.[1]

Enterprise T1074 Data Staged

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[3]

Enterprise T1073 DLL Side-Loading

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[3]

Enterprise T1189 Drive-by Compromise

Patchwork has used watering holes to deliver files with exploits to initial victims.[2][4]

Enterprise T1173 Dynamic Data Exchange

Patchwork leveraged the DDE protocol to deliver their malware.[3]

Enterprise T1203 Exploitation for Client Execution

Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641.[1][5][2][6][3][4]

Enterprise T1083 File and Directory Discovery

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[1][3]

Enterprise T1107 File Deletion

Patchwork removed certain files and replaced them so they could not be retrieved.[3]

Enterprise T1066 Indicator Removal from Tools

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]

Enterprise T1036 Masquerading

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[1]

Enterprise T1112 Modify Registry

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[3]

Enterprise T1027 Obfuscated Files or Information

Patchwork has obfuscated a script with Crypto Obfuscator.[3]

Enterprise T1086 PowerShell

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[1][3]

Enterprise T1093 Process Hollowing

A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[1][3]

Enterprise T1076 Remote Desktop Protocol

Patchwork attempted to use RDP to move laterally.[1]

Enterprise T1105 Remote File Copy

Patchwork payloads download additional files from the C2 server.[5][3]

Enterprise T1053 Scheduled Task

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.[3]

Enterprise T1064 Scripting

Patchwork used Visual Basic Scripts (VBS), JavaScript code, batch files, and .SCT files on victim machines.[3][4]

Enterprise T1063 Security Software Discovery

Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[1]

Enterprise T1045 Software Packing

A Patchwork payload was packed with UPX.[5]

Enterprise T1193 Spearphishing Attachment

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[1][5][3][4]

Enterprise T1192 Spearphishing Link

Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[2][3][4]

Enterprise T1082 System Information Discovery

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[1][3]

Enterprise T1033 System Owner/User Discovery

Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[1][3]

Enterprise T1204 User Execution

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[3][4]

Enterprise T1102 Web Service

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.[5]


ID Name References Techniques
S0129 AutoIt backdoor [7] Bypass User Account Control, Data Encoding, File and Directory Discovery, PowerShell
S0128 BADNEWS [7] [3] Automated Collection, Code Signing, Command-Line Interface, Custom Cryptographic Protocol, Data Encoding, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Data Obfuscation, Data Staged, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Peripheral Device Discovery, Process Hollowing, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Screen Capture, Standard Application Layer Protocol, Web Service
S0272 NDiskMonitor [3] File and Directory Discovery, Remote File Copy, Standard Cryptographic Protocol, System Information Discovery, System Owner/User Discovery
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0262 QuasarRAT [3] [4] Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials from Web Browsers, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0131 TINYTYPHON [7] Automated Exfiltration, File and Directory Discovery, Obfuscated Files or Information, Registry Run Keys / Startup Folder
S0130 Unknown Logger [7] Credential Dumping, Disabling Security Tools, Input Capture, Remote File Copy, Replication Through Removable Media, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery