Patchwork
Aliases: Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.
Open interactive actor investigation
ATT&CK techniques
T1059.005
Visual BasicT1560
Archive Collected DataT1083
File and Directory DiscoveryT1553.002
Code SigningT1574.002
DLL Side-LoadingT1112
Modify RegistryT1197
BITS JobsT1027.005
Indicator Removal from ToolsT1555.003
Credentials from Web BrowsersT1053.005
Scheduled TaskT1132.001
Standard EncodingT1055.012
Process HollowingT1021.001
Remote Desktop ProtocolT1547.001
Registry Run Keys / Startup FolderT1074.001
Local Data StagingT1036.005
Match Legitimate Name or LocationT1566.001
Spearphishing AttachmentT1027.010
Command ObfuscationT1588.002
ToolT1189
Drive-by CompromiseT1204.001
Malicious LinkT1518.001
Security Software DiscoveryT1203
Exploitation for Client ExecutionT1027.002
Software PackingT1033
System Owner/User DiscoveryT1005
Data from Local SystemT1204.002
Malicious FileT1587.002
Code Signing CertificatesT1070.004
File DeletionT1119
Automated CollectionT1102.001
Dead Drop ResolverT1059.003
Windows Command ShellT1027.001
Binary PaddingT1548.002
Bypass User Account ControlT1059.001
PowerShellT1598.003
Spearphishing LinkT1105
Ingress Tool TransferT1566.002
Spearphishing LinkT1082
System Information DiscoveryT1559.002
Dynamic Data Exchange
Visual BasicT1560
Archive Collected DataT1083
File and Directory DiscoveryT1553.002
Code SigningT1574.002
DLL Side-LoadingT1112
Modify RegistryT1197
BITS JobsT1027.005
Indicator Removal from ToolsT1555.003
Credentials from Web BrowsersT1053.005
Scheduled TaskT1132.001
Standard EncodingT1055.012
Process HollowingT1021.001
Remote Desktop ProtocolT1547.001
Registry Run Keys / Startup FolderT1074.001
Local Data StagingT1036.005
Match Legitimate Name or LocationT1566.001
Spearphishing AttachmentT1027.010
Command ObfuscationT1588.002
ToolT1189
Drive-by CompromiseT1204.001
Malicious LinkT1518.001
Security Software DiscoveryT1203
Exploitation for Client ExecutionT1027.002
Software PackingT1033
System Owner/User DiscoveryT1005
Data from Local SystemT1204.002
Malicious FileT1587.002
Code Signing CertificatesT1070.004
File DeletionT1119
Automated CollectionT1102.001
Dead Drop ResolverT1059.003
Windows Command ShellT1027.001
Binary PaddingT1548.002
Bypass User Account ControlT1059.001
PowerShellT1598.003
Spearphishing LinkT1105
Ingress Tool TransferT1566.002
Spearphishing LinkT1082
System Information DiscoveryT1559.002
Dynamic Data Exchange