ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Patchwork, Dropping Elephant

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Patchwork, Dropping Elephant

NamesPatchwork (Cymmetria)
Dropping Elephant (Kaspersky)
Chinastrats (Kaspersky)
APT-C-09 (Qihoo 360)
Monsoon (Forcepoint)
Quilted Tiger (CrowdStrike)
TG-4410 (SecureWorks)
Zinc Emerson (SecureWorks)
ATK 11 (Thales)
Thirsty Gemini (Palo Alto)
Capricorn Organisation (?)
Maha Grass (?)
CountryIndia India
MotivationInformation theft and espionage
First seen2013
Description(Cymmetria) Patchwork is a targeted attack that has infected an estimated 2,500 machines since it was first observed in December 2015. There are indications of activity as early as 2014, but Cymmetria has not observed any such activity first hand.

Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea. Many of the targets were governments and government-related organizations.

The code used by this threat actor is copy-pasted from various online forums, in a way that reminds us of a patchwork quilt –hence the name we’ve given the operation.

In active victim systems, Patchwork immediately searches for and uploads documents to their C&C, and only if the target is deemed valuable enough, proceeds to install a more advanced second stage malware.

This group seems to be associated with Confucius.
ObservedSectors: Aviation, Defense, Energy, Financial, Government, IT, Media, NGOs, Pharmaceutical, Think Tanks.
Countries: Bangladesh, Bhutan, Cambodia, China, Israel, Japan, Myanmar, Nepal, Pakistan, South Korea, Sri Lanka, UK, USA and Middle East and Southeast Asia.
Tools usedAndroRAT, ArtraDownloader, AutoIt backdoor, BADNEWS, Bahamut, Bozok, Brute Ratel, Crypta, LokiBot, NDiskMonitor, PGoShell, PowerSploit, PubFantacy, QuasarRAT, Ragnatela, SocksBot, TINYTYPHON, Unknown Logger, WSCSPL.
Operations performed2015The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016. The target was an employee working on Chinese policy research and the attack vector was a PowerPoint presentation file. The content of the presentation was on issues relating to Chinese activity in the South China Sea.
<https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf>
Jan 2018The malicious documents seen in recent activity refer to a number of topics, including recent military promotions within the Pakistan Army, information related to the Pakistan Atomic Energy Commission, as well as Pakistan’s Ministry of the Interior.
<https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/>
Mar 2018Targeting US Think Tanks
In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia.
<https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/>
Nov 2021Patchwork APT caught in its own web
<https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/>
Jul 2023PatchWork’s new assault Weapons report — EyeShell Weapons Disclosure
<https://medium.com/@knownsec404team/patchworks-new-assault-weapons-report-eyeshell-weapons-disclosure-181833f434be>
Jul 2024The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell
<https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87>
Information<https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf>
<https://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries>
<https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf>
<https://securelist.com/the-dropping-elephant-actor/75328/>
<https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf>
<https://cybleinc.com/2021/01/20/a-deep-dive-into-patchwork-apt-group/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0040/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=thirstygemini>

Last change to this card: 27 August 2024

Download this actor card in PDF or JSON format

Previous: PassCV
Next: Pinchy Spider, Gold Southfield

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]