Patchwork APT

Type: Cyber-mercenary or APT

Patchwork APT Status: Active

Patchwork APT Other Names: Dropping Elephant/ MONSOON/ Chinastrats/ Operation Hangover

Patchwork APT Active Since/Discovered: Active July 2016

Last Report: December 16, 2016

Targets: Military and political interests

Target Sectors:

  • government, energy, and other related organizations present in Southeast Asia and the South China Sea
  • Target documents focus on: army training, personnel and payroll records, defense attaches and consulates, foreign high commissions, military exercises, military air/naval platforms, military logistic records, naval coast protection, Anti-torpedo and naval electronic countermeasure (ECM) systems, submarine communication systems, nuclear security and counter proliferation, United Nations, personal details (including medical records, driving license, passport and visas), accounting records, and travel and itinerary details
  • A division identified in Operation Hangover, may separately target Chinese nationals


    • an AutoIt backdoor
    • Uses resilient command and control (C&C) capability by leveraging RSS feeds, Github, forums, blogs and Dynamic DNS hosts
    • Capable of arbitrary command execution, screenshots, self-updating, downloading and executing files, and directory listings
    • Mainly in first stage of attack, uses DLL side-loading with a signed Java binary to evade detection
    • key-logs, crawls local hard-drives for document files, installs a registry key to achieve persistence, and tries to connect to its C&C server (via hard-coded channels such as RSS feeds, forums, blogs, etc.) to receive commands
  • Unknown Logger Public
    • credential stealing worm
    • Publically available since 2012
    • record keystrokes and steal usernames and passwords from browsers
    • Can spread via RAR files, USB devices, and network shares
    • Lacks C2 communication capabilities
    • small backdoor designed to locate and steal documents on locally mapped drives and to receive secondary malware
    • Code derived from the MyDoom worm and repurposed to exfiltrate documents
  • Copy-paste source code from GitHub and hacking forums
  • Powersploit, Meterpreter, Autolt, and UACME

Preferred Attack Vector: Spear-phishing, Watering Hole Attacks, Social Engineering (Google+, Facebook, and Twitter)


  • CVE-2014-4114, CVE-201406352, or CVE-2012-0158
  • Current and topical email lures


  • May originate in India or China
  • Well-known for stealing others code or using open source malware
  • Compromised 2,500 victims in 2015
  • Lack of dedicated resources and its reliance on open source code, suggests that it may be a criminal organization
    • Proves that a group does not need to be sophisticated or original in order to be successful
    • Successful with only OSINT code and no 0-day vulnerabilities