← All Threat Actors
Threat Actor Profile

Patchwork

Chinastrats Dropping Elephant G0040 Hangover Group MONSOON Operation Hangover UNC2544
▲ High Threat
[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
Origin

Known TTPs

Visual Basic
Archive Collected Data
File and Directory Discovery
Code Signing
DLL
Modify Registry
BITS Jobs
Indicator Removal from Tools
Credentials from Web Browsers
Scheduled Task
Standard Encoding
Process Hollowing
Remote Desktop Protocol
Registry Run Keys / Startup Folder
Local Data Staging
Match Legitimate Resource Name or Location
Spearphishing Attachment
Command Obfuscation
Tool
Drive-by Compromise
Malicious Link
Security Software Discovery
Exploitation for Client Execution
Software Packing
System Owner/User Discovery
Data from Local System
Malicious File
Code Signing Certificates
File Deletion
Automated Collection
Dead Drop Resolver
Local Storage Discovery
Windows Command Shell
Binary Padding
Bypass User Account Control
PowerShell
Spearphishing Link
Ingress Tool Transfer
Spearphishing Link
System Information Discovery
Dynamic Data Exchange

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD