Threat Group Cards: A Threat Actor Encyclopedia

APT group: Patchwork, Dropping Elephant

Names	Patchwork (Cymmetria) Dropping Elephant (Kaspersky) Chinastrats (Kaspersky) APT-C-09 (Qihoo 360) Monsoon (Forcepoint) Quilted Tiger (CrowdStrike) TG-4410 (SecureWorks) Zinc Emerson (SecureWorks) ATK 11 (Thales) Thirsty Gemini (Palo Alto) Capricorn Organisation (?) Maha Grass (?)
Country	India
Motivation	Information theft and espionage
First seen	2013
Description	(Cymmetria) Patchwork is a targeted attack that has infected an estimated 2,500 machines since it was first observed in December 2015. There are indications of activity as early as 2014, but Cymmetria has not observed any such activity first hand. Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea. Many of the targets were governments and government-related organizations. The code used by this threat actor is copy-pasted from various online forums, in a way that reminds us of a patchwork quilt –hence the name we’ve given the operation. In active victim systems, Patchwork immediately searches for and uploads documents to their C&C, and only if the target is deemed valuable enough, proceeds to install a more advanced second stage malware. This group seems to be associated with Confucius.
Observed	Sectors: Aviation, Defense, Energy, Financial, Government, IT, Media, NGOs, Pharmaceutical, Think Tanks. Countries: Bangladesh, Cambodia, China, Israel, Japan, Myanmar, Nepal, Pakistan, South Korea, Sri Lanka, UK, USA and Middle East and Southeast Asia.
Tools used	AndroRAT, ArtraDownloader, AutoIt backdoor, BADNEWS, Bahamut, Bozok, Crypta, LokiBot, NDiskMonitor, PowerSploit, PubFantacy, QuasarRAT, Ragnatela, SocksBot, TINYTYPHON, Unknown Logger, WSCSPL.
Operations performed	2015	The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016. The target was an employee working on Chinese policy research and the attack vector was a PowerPoint presentation file. The content of the presentation was on issues relating to Chinese activity in the South China Sea. <https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf>
	Jan 2018	The malicious documents seen in recent activity refer to a number of topics, including recent military promotions within the Pakistan Army, information related to the Pakistan Atomic Energy Commission, as well as Pakistan’s Ministry of the Interior. <https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/>
	Mar 2018	Targeting US Think Tanks In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. <https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/>
	Nov 2021	Patchwork APT caught in its own web <https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/>
	Jul 2023	PatchWork’s new assault Weapons report — EyeShell Weapons Disclosure <https://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be>
Information	<https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf> <https://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries> <https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf> <https://securelist.com/the-dropping-elephant-actor/75328/> <https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf> <https://cybleinc.com/2021/01/20/a-deep-dive-into-patchwork-apt-group/>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0040/>
Playbook	<https://pan-unit42.github.io/playbook_viewer/?pb=thirstygemini>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Previous: PassCV
Next: Pinchy Spider, Gold Southfield