G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
Analyst context for executives and security teams
Patchwork is an ATT&CK-tracked cyber espionage group associated in reporting with government, diplomatic, and think tank targeting. The business significance is not the name itself, but the pattern: spearphishing-driven espionage using a mix of copied public code, open-source tools, custom backdoors, Windows scripting, RDP, persistence, stealth, and data collection behaviors. For leaders, this makes Patchwork a useful planning profile for validating whether email security, endpoint visibility, identity controls, and incident response can handle lower-cost but persistent espionage tradecraft.
Executive priority
Prioritize Patchwork as an intelligence-led control validation case where the organization has exposure to diplomatic, government, policy, research, or regional geopolitical interests. Ask whether SOC and IR teams can prove coverage for phishing-led intrusion, PowerShell and command-shell abuse, scheduled task persistence, RDP lateral movement, local data collection, and remote access malware. This object also supports budget discussions around identity hardening, endpoint detection depth, mobile/BYOD governance where Android risk matters, and audit evidence showing that common espionage behaviors are monitored and rehearsed.
Technical view
ATT&CK does not provide an official detection section for this group, so validation should be built from the supplied relationships. Enterprise defenders should test visibility around related Windows malware and tools such as BADNEWS, AutoIt backdoor, Unknown Logger, PowerSploit, QuasarRAT, NDiskMonitor, and BackConfig, plus techniques including Data from Local System, RDP, binary padding, software packing, indicator removal, command obfuscation, user discovery, masquerading, scheduled tasks, process hollowing, PowerShell, Windows Command Shell, and Visual Basic. Mobile security teams should separately assess relevance of the related Android malware VajraSpy, especially in environments allowing unmanaged messaging or news applications.
Likely telemetry
- Email security and phishing investigation records, especially attachments and links associated with targeted delivery.
- Endpoint process creation, command-line, script execution, PowerShell, Windows Command Shell, and Visual Basic activity.
- Windows scheduled task creation, modification, and execution events.
- RDP authentication and session telemetry, including source, destination, account, and unusual interactive logon patterns.
- Endpoint file, registry, and persistence telemetry for masquerading, suspicious names/locations, packed or padded binaries, and indicator changes.
Detection direction
- Do not rely only on hash or static signature matching; the related techniques include binary padding, software packing, command obfuscation, and indicator removal from tools.
- Correlate phishing artifacts with post-delivery execution: script interpreters, AutoIt or PowerShell activity, scheduled task creation, and new remote access tooling.
- Tune RDP detections around identity context: unusual account use, new source systems, abnormal interactive sessions, and lateral movement following endpoint compromise.
- Baseline legitimate administrative PowerShell, cmd, Visual Basic, scheduled task, and RDP usage to reduce false positives while preserving high-risk sequences.
- Hunt for tool families named in the relationships, but treat tool presence as context rather than attribution proof because several are public or open-source.
Mitigation priorities
- Start with phishing resilience: user reporting workflows, attachment/link controls, sandboxing where available, and rapid triage of targeted email campaigns.
- Harden identity and remote access: restrict and monitor RDP, enforce strong authentication, reduce unnecessary interactive logon rights, and review privileged account exposure.
- Constrain script abuse with least privilege, PowerShell logging, execution controls, and administrative allowlisting policies appropriate to the environment.
- Monitor and govern persistence mechanisms such as scheduled tasks, especially creation by non-administrative or unusual parent processes.
- Maintain endpoint controls capable of behavioral detection, not only static malware signatures, because the related behaviors include packing, padding, obfuscation, and modified tooling.
Analyst notes and limits
Patchwork is also referenced through aliases including Hangover Group, Dropping Elephant, Chinastrats, MONSOON, and Operation Hangover. ATT&CK notes that attribution is not definitive, with circumstantial evidence suggesting a pro-Indian or Indian entity, and that MONSOON objects were revoked by this group entry. The strongest defensive value comes from the relationships to malware, tools, and techniques rather than from the group description alone.
The supplied group object has no official detection text, no group-level platforms, and no group-level tactics. Several related software entries are public, open-source, or copied-code tools, so their presence should not be treated as standalone attribution to Patchwork. Local telemetry, business exposure, mobile device scope, and historical incident evidence are required to decide priority and coverage.
Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | Patchwork used Visual Basic Scripts (VBS) on victim machines.CitationTrendMicro Patchwork Dec 2017CitationVolexity Patchwork June 2018 |
| Enterprise | T1560 | Archive Collected Data | Patchwork encrypted the collected files' path with AES and then encoded them with base64.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1083 | File and Directory Discovery | A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1112 | Modify Registry | A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1197 | BITS Jobs | Patchwork has used BITS jobs to download malicious payloads.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Patchwork dumped the login data database from |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | A Patchwork file stealer can run a TaskScheduler DLL to add persistence.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Patchwork used Base64 to encode C2 traffic.CitationCymmetria Patchwork |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.CitationCymmetria Patchwork |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Patchwork attempted to use RDP to move laterally.CitationCymmetria Patchwork |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."CitationCymmetria Patchwork They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.CitationVolexity Patchwork June 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.CitationCymmetria PatchworkCitationSecurelist Dropping ElephantCitationTrendMicro Patchwork Dec 2017CitationVolexity Patchwork June 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Patchwork has obfuscated a script with Crypto Obfuscator.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1189 | Drive-by Compromise | Patchwork has used watering holes to deliver files with exploits to initial victims.CitationSymantec PatchworkCitationVolexity Patchwork June 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.CitationSymantec PatchworkCitationTrendMicro Patchwork Dec 2017CitationVolexity Patchwork June 2018CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).CitationCymmetria Patchwork |
| Enterprise | T1203 | Exploitation for Client Execution | Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.CitationCymmetria PatchworkCitationSecurelist Dropping ElephantCitationSymantec PatchworkCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017CitationVolexity Patchwork June 2018CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | A Patchwork payload was packed with UPX.CitationSecurelist Dropping Elephant |
| Enterprise | T1033 | System Owner/User Discovery | Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1005 | Data from Local System | Patchwork collected and exfiltrated files from the infected system.CitationCymmetria Patchwork |
| Enterprise | T1204.002 | Malicious File Sub-technique | Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.CitationTrendMicro Patchwork Dec 2017CitationVolexity Patchwork June 2018 |
| Enterprise | T1587.002 | Code Signing Certificates Sub-technique | Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Patchwork removed certain files and replaced them so they could not be retrieved.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1119 | Automated Collection | |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.CitationSecurelist Dropping Elephant |
| Enterprise | T1680 | Local Storage Discovery | Patchwork enumerated all available drives on the victim's machine.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Patchwork bypassed User Access Control (UAC).CitationCymmetria Patchwork |
| Enterprise | T1059.001 | PowerShell Sub-technique | Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.CitationVolexity Patchwork June 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Patchwork payloads download additional files from the C2 server.CitationSecurelist Dropping ElephantCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Patchwork has used spearphishing with links to deliver files with exploits to initial victims.CitationSymantec PatchworkCitationTrendMicro Patchwork Dec 2017CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1082 | System Information Discovery | Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.CitationCymmetria PatchworkCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Patchwork leveraged the DDE protocol to deliver their malware.CitationTrendMicro Patchwork Dec 2017 |
Groups, software, and campaigns
G0042: MONSOON
Official MITRE ATT&CK object mirrored from source data.
S0272: NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]
S0262: QuasarRAT
S0475: BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]
S0131: TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]
S0129: AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0128: BADNEWS
S0130: Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.7 | Current bundle | 29ba5254c884… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cymmetria Patchwork
Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
Open source URL -
[2]
Symantec Patchwork
Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
Open source URL -
[3]
TrendMicro Patchwork Dec 2017
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Open source URL -
[4]
Volexity Patchwork June 2018
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Open source URL -
[5]
Chinastrats
(Citation: Securelist Dropping Elephant)
-
[6]
Dropping Elephant
(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)
-
[7]
Forcepoint Monsoon
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Open source URL -
[8]
Hangover Group
[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)
-
[9]
MONSOON
MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)
-
[10]
Operation Hangover
It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)
-
[11]
Operation Hangover May 2013
Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024.
Open source URL -
[12]
PaloAlto Patchwork Mar 2018
Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
Open source URL -
[13]
Patchwork
(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)
-
[14]
Securelist Dropping Elephant
Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
Open source URL -
[15]
Unit 42 BackConfig May 2020
Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
Open source URL -
[16]
mitre-attack G0040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.