Patchwork

Background

Patchwork, alternately tracked as Dropping Elephant, Chinastrats, and Monsoon, is an Indian state-aligned threat actor operating primarily in support of Indian strategic intelligence objectives in South and Central Asia. The group has been active since at least 2015 and is named for its practice of "patching together" malware and techniques borrowed from other threat actors, open-source repositories, and security research publications — a cost-effective approach that makes attribution more challenging by creating attribution noise.

The group targets entities of strategic interest to India, including Pakistani government and military organizations, Chinese diplomatic and policy bodies, think tanks researching Indian foreign policy, and governments and NGOs operating in South Asian and Central Asian theaters. Patchwork's focus on diplomatic and policy intelligence distinguishes it somewhat from Sidewinder's military-centric targeting, though both groups operate in support of India's broader intelligence requirements.

In early 2022, Malwarebytes documented a significant operational security failure: Patchwork operators infected their own development systems with their Ragnatela RAT, inadvertently giving researchers a window into the group's operational environment, target list, and working methods. This incident revealed target lists including Pakistani defense research organizations, entities connected to Pakistani nuclear programs, and researchers studying molecular biology — indicating a biological research intelligence collection mandate in addition to traditional defense and political intelligence.

Notable Campaigns

Monsoon Campaign (2015-2016) — One of Patchwork's earliest documented campaigns targeted South Asian governments and research institutions using Microsoft Office documents containing macro-enabled malware. The campaign was notable for the significant volume of targets and for the simultaneous use of multiple backdoor families, suggesting a well-resourced operation.

China and Pakistan Diplomatic Targeting (2016-2019) — Patchwork conducted sustained spearphishing campaigns against Chinese diplomatic entities, South Asian policy researchers, and organizations with connections to the China-Pakistan Economic Corridor (CPEC). Lures referenced CPEC developments, Belt and Road Initiative activities, and India-China border issues.

U.S. Think Tank Targeting (2018) — Unit 42 (Palo Alto Networks) documented Patchwork targeting U.S.-based think tanks focused on South Asian policy, particularly those conducting research on India-Pakistan relations, Kashmiri politics, and nuclear non-proliferation in South Asia.

Ragnatela Self-Compromise (2022) — Malwarebytes documented the inadvertent infection of Patchwork's own systems with Ragnatela RAT. Analysis of the resulting telemetry revealed active targeting of Pakistani defense research institutes including NESCOM and the National Defense University, as well as molecular biology researchers — suggesting Intelligence tasking related to Pakistan's biological research capabilities.

Tactics, Techniques & Procedures

Document-Based Initial Access — Patchwork predominantly uses spearphishing emails with malicious document attachments (T1566.001). The group is notable for repurposing and modifying publicly available exploit code — embedding commodity exploits (CVE-2012-0158, CVE-2014-1761, CVE-2017-0199) in RTF and Office documents with targeted lure content. The "patchwork" construction of malware extends to the exploitation code, where known public exploits are combined with custom payloads.

AutoIt Compiled Malware — Patchwork uses AutoIt scripting language to compile its malware, making static analysis and detection signature development more difficult. The group creates complex AutoIt scripts that decrypt and load payloads from embedded resources.

Spear-Targeting of Regional Researchers — Unlike many APT groups that broadly target sectors, Patchwork shows evidence of specifically researching individual targets before crafting tailored lures, including referencing targets' specific research areas, recent publications, and professional affiliations in phishing emails — increasing lure credibility.

Lateral Movement and Reconnaissance — Post-compromise reconnaissance focuses on identifying additional high-value targets within victim organizations, their contact networks, and accessible network shares containing policy documents, diplomatic correspondence, and research reports. The group uses standard Windows tools including net.exe, systeminfo, and ipconfig for network reconnaissance (T1082, T1016, T1057).

Tools & Malware

• BADNEWS — Patchwork's signature RAT, using RSS feeds and legitimate cloud services for C2 communication to blend with normal network traffic. Provides file management, screenshot capture, keylogging, and command execution.
• Ragnatela RAT — An updated second-stage backdoor providing remote access, keylogging, screenshot capture, and webcam access. C2 communication uses legitimate cloud storage services to evade network detection.
• PubFantasy — A RAT using the publish-subscribe messaging pattern for C2, communicating via legitimate bulletin board and forum services to obscure malicious traffic.
• TINYTYPHON — A lightweight first-stage payload used to download and execute more capable backdoors after initial compromise.
• AutoIt Dropper — A custom compiled AutoIt loader that decrypts and executes embedded payloads, complicating automated analysis.
• QuasarRAT — A commodity open-source remote access tool used alongside custom tools, providing basic remote access capability with deniability.
• AndroRAT — Android remote access trojan deployed against mobile devices belonging to Pakistani officials and Indian diaspora communities.
• Socksbot — A proxy tool used to route traffic through compromised hosts, supporting lateral movement and covert infrastructure.

Indicators & Detection

Email Lure Detection — Patchwork spearphishing emails targeting South Asian policy researchers are frequently tailored to reference the recipient's specific professional focus. Implement sender verification for emails purportedly from known colleagues or institutional addresses. Sandbox all Office and RTF document attachments, monitoring for exploitation of legacy Office vulnerabilities that remain unpatched in some environments.

AutoIt Detection — Monitor for AutoIt3.exe process execution, particularly when spawned by Office applications or browser processes. Alert on compiled AutoIt scripts executing from temporary directories or user-writable locations. AutoIt malware can be detected by examining the compiled executable header for AutoIt markers.

Cloud-Based C2 Detection — Patchwork's use of RSS feeds and cloud services for C2 makes network-level detection difficult. Implement application-layer inspection to identify patterns of encoded parameters in otherwise normal-looking cloud service traffic. Monitor for unusual access patterns to blogging platforms and RSS services from enterprise systems.

Research Institution Protections — Think tanks, university research departments, and policy institutions focused on South Asian affairs should implement phishing-resistant MFA, restrict macro execution in Office documents, and provide tailored threat awareness training that specifically addresses Patchwork's targeting of researchers by subject matter expertise.