Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0040: Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]

EnterpriseG0040GroupObject v1.7 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Patchwork is an ATT&CK-tracked cyber espionage group associated in reporting with government, diplomatic, and think tank targeting. The business significance is not the name itself, but the pattern: spearphishing-driven espionage using a mix of copied public code, open-source tools, custom backdoors, Windows scripting, RDP, persistence, stealth, and data collection behaviors. For leaders, this makes Patchwork a useful planning profile for validating whether email security, endpoint visibility, identity controls, and incident response can handle lower-cost but persistent espionage tradecraft.

Executive priority

Prioritize Patchwork as an intelligence-led control validation case where the organization has exposure to diplomatic, government, policy, research, or regional geopolitical interests. Ask whether SOC and IR teams can prove coverage for phishing-led intrusion, PowerShell and command-shell abuse, scheduled task persistence, RDP lateral movement, local data collection, and remote access malware. This object also supports budget discussions around identity hardening, endpoint detection depth, mobile/BYOD governance where Android risk matters, and audit evidence showing that common espionage behaviors are monitored and rehearsed.

Technical view

ATT&CK does not provide an official detection section for this group, so validation should be built from the supplied relationships. Enterprise defenders should test visibility around related Windows malware and tools such as BADNEWS, AutoIt backdoor, Unknown Logger, PowerSploit, QuasarRAT, NDiskMonitor, and BackConfig, plus techniques including Data from Local System, RDP, binary padding, software packing, indicator removal, command obfuscation, user discovery, masquerading, scheduled tasks, process hollowing, PowerShell, Windows Command Shell, and Visual Basic. Mobile security teams should separately assess relevance of the related Android malware VajraSpy, especially in environments allowing unmanaged messaging or news applications.

Likely telemetry

  • Email security and phishing investigation records, especially attachments and links associated with targeted delivery.
  • Endpoint process creation, command-line, script execution, PowerShell, Windows Command Shell, and Visual Basic activity.
  • Windows scheduled task creation, modification, and execution events.
  • RDP authentication and session telemetry, including source, destination, account, and unusual interactive logon patterns.
  • Endpoint file, registry, and persistence telemetry for masquerading, suspicious names/locations, packed or padded binaries, and indicator changes.

Detection direction

  • Do not rely only on hash or static signature matching; the related techniques include binary padding, software packing, command obfuscation, and indicator removal from tools.
  • Correlate phishing artifacts with post-delivery execution: script interpreters, AutoIt or PowerShell activity, scheduled task creation, and new remote access tooling.
  • Tune RDP detections around identity context: unusual account use, new source systems, abnormal interactive sessions, and lateral movement following endpoint compromise.
  • Baseline legitimate administrative PowerShell, cmd, Visual Basic, scheduled task, and RDP usage to reduce false positives while preserving high-risk sequences.
  • Hunt for tool families named in the relationships, but treat tool presence as context rather than attribution proof because several are public or open-source.

Mitigation priorities

  • Start with phishing resilience: user reporting workflows, attachment/link controls, sandboxing where available, and rapid triage of targeted email campaigns.
  • Harden identity and remote access: restrict and monitor RDP, enforce strong authentication, reduce unnecessary interactive logon rights, and review privileged account exposure.
  • Constrain script abuse with least privilege, PowerShell logging, execution controls, and administrative allowlisting policies appropriate to the environment.
  • Monitor and govern persistence mechanisms such as scheduled tasks, especially creation by non-administrative or unusual parent processes.
  • Maintain endpoint controls capable of behavioral detection, not only static malware signatures, because the related behaviors include packing, padding, obfuscation, and modified tooling.
Analyst notes and limits

Patchwork is also referenced through aliases including Hangover Group, Dropping Elephant, Chinastrats, MONSOON, and Operation Hangover. ATT&CK notes that attribution is not definitive, with circumstantial evidence suggesting a pro-Indian or Indian entity, and that MONSOON objects were revoked by this group entry. The strongest defensive value comes from the relationships to malware, tools, and techniques rather than from the group description alone.

The supplied group object has no official detection text, no group-level platforms, and no group-level tactics. Several related software entries are public, open-source, or copied-code tools, so their presence should not be treated as standalone attribution to Patchwork. Local telemetry, business exposure, mobile device scope, and historical incident evidence are required to decide priority and coverage.

Official MITRE ATT&CK definition

Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

41 rows
Domain ID Name Relationship / procedure
Enterprise T1059.005 Visual Basic Sub-technique

Patchwork used Visual Basic Scripts (VBS) on victim machines.[3][4]
Enterprise T1560 Archive Collected Data

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[3]
Enterprise T1083 File and Directory Discovery

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[1][3]
Enterprise T1553.002 Code Signing Sub-technique

Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.[5]
Enterprise T1574.001 DLL Sub-technique

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[3]
Enterprise T1112 Modify Registry

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[3]
Enterprise T1197 BITS Jobs

Patchwork has used BITS jobs to download malicious payloads.[5]
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.[3]
Enterprise T1132.001 Standard Encoding Sub-technique

Patchwork used Base64 to encode C2 traffic.[1]
Enterprise T1055.012 Process Hollowing Sub-technique

A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.[1]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Patchwork attempted to use RDP to move laterally.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[1][3]
Enterprise T1074.001 Local Data Staging Sub-technique

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[3]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."[1] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[4]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[1][6][3][4]
Enterprise T1027.010 Command Obfuscation Sub-technique

Patchwork has obfuscated a script with Crypto Obfuscator.[3]
Enterprise T1588.002 Tool Sub-technique

Patchwork has obtained and used open-source tools such as QuasarRAT.[4]
Enterprise T1189 Drive-by Compromise

Patchwork has used watering holes to deliver files with exploits to initial victims.[2][4]
Enterprise T1204.001 Malicious Link Sub-technique

Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.[2][3][4][5]
Enterprise T1518.001 Security Software Discovery Sub-technique

Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).[1]
Enterprise T1203 Exploitation for Client Execution

Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.[1][6][2][7][3][4][5]
Enterprise T1027.002 Software Packing Sub-technique

A Patchwork payload was packed with UPX.[6]
Enterprise T1033 System Owner/User Discovery

Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[1][3]
Enterprise T1005 Data from Local System

Patchwork collected and exfiltrated files from the infected system.[1]
Enterprise T1204.002 Malicious File Sub-technique

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[3][4]
Enterprise T1587.002 Code Signing Certificates Sub-technique

Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.[5]
Enterprise T1070.004 File Deletion Sub-technique

Patchwork removed certain files and replaced them so they could not be retrieved.[3]
Enterprise T1119 Automated Collection

Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[3]
Enterprise T1102.001 Dead Drop Resolver Sub-technique

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.[6]
Enterprise T1680 Local Storage Discovery

Patchwork enumerated all available drives on the victim's machine.[1][3]
Enterprise T1059.003 Windows Command Shell Sub-technique

Patchwork ran a reverse shell with Meterpreter.[1] Patchwork used JavaScript code and .SCT files on victim machines.[3][4]
Enterprise T1027.001 Binary Padding Sub-technique

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
Enterprise T1548.002 Bypass User Account Control Sub-technique

Patchwork bypassed User Access Control (UAC).[1]
Enterprise T1059.001 PowerShell Sub-technique

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[1][3]
Enterprise T1598.003 Spearphishing Link Sub-technique

Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[4]
Enterprise T1105 Ingress Tool Transfer

Patchwork payloads download additional files from the C2 server.[6][3]
Enterprise T1566.002 Spearphishing Link Sub-technique

Patchwork has used spearphishing with links to deliver files with exploits to initial victims.[2][3][5]
Enterprise T1082 System Information Discovery

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.[1][3]
Enterprise T1559.002 Dynamic Data Exchange Sub-technique

Patchwork leveraged the DDE protocol to deliver their malware.[3]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0042: MONSOON

Official MITRE ATT&CK object mirrored from source data.

Revoked/deprecated
Malware Enterprise

S0131: TINYTYPHON

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

Malware Enterprise

S0129: AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Windows
Tool Enterprise

S0194: PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

Windows
Malware Enterprise

S0128: BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1197: BITS Jobs Enterprise uses · Technique T1027.005: Indicator Removal from Tools Enterprise uses · Malware S0272: NDiskMonitor Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1055.012: Process Hollowing Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise revoked by · Group G0042: MONSOON Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Tool S0262: QuasarRAT Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1189: Drive-by Compromise Enterprise uses · Technique T1204.001: Malicious Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.7
Created
Modified
Raw hash
29ba5254c8849c20...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.7 Current bundle 29ba5254c884…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cymmetria Patchwork

    Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Symantec Patchwork

    Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.

    Open source URL
  3. [3]
    TrendMicro Patchwork Dec 2017

    Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

    Open source URL
  4. [4]
    Volexity Patchwork June 2018

    Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

    Open source URL
  5. [5]
    Unit 42 BackConfig May 2020

    Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

    Open source URL
  6. [6]
    Securelist Dropping Elephant

    Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.

    Open source URL
  7. [7]
    PaloAlto Patchwork Mar 2018

    Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.

    Open source URL
  8. [8]
    Forcepoint Monsoon

    Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

    Open source URL
  9. [9]
    Chinastrats

    (Citation: Securelist Dropping Elephant)

  10. [10]
    Dropping Elephant

    (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)

  11. [11]
    Hangover Group

    [Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)

  12. [12]
    MONSOON

    MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)

  13. [13]
    Operation Hangover

    It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)

  14. [14]
    Operation Hangover May 2013

    Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024.

    Open source URL
  15. [15]
    Patchwork

    (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)

  16. [16]
    mitre-attack G0040
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use