Connect with us

Hi, what are you looking for?



India-Linked Threat Actor Targets Military, Political Entities Worldwide

Patchwork is a new threat actor that has been targeting numerous entities around the world using code that has been copied from various online forums, Cymmetria researchers reveal.

Patchwork is a new threat actor that has been targeting numerous entities around the world using code that has been copied from various online forums, Cymmetria researchers reveal.

The group, supposedly active since 2014, managed to infect an estimated 2,500 victims since December 2015, when Cymmetria researchers observed it. The threat actor targeted victims worldwide, including United States, Europe, the Middle East, and APAC, and researchers say that it focused mainly on personnel working on military and political assignments.

Furthermore, a detailed report from Cymmetria reveals that this advanced persistent threat usually targets individuals working on issues relating to Southeast Asia and the South China Sea and that many of the group’s targets were governments and government-related organizations.

What researchers observed was that, following the initial attack, which includes finding and stealing documents from the infected machine, if the target is deemed valuable enough, a second-stage attack is launched and more advanced malware is dropped onto the compromised system. The attackers also downloaded and executed a remote access tool based on open source PowerSploit on the target system.

The researchers detected the threat during a spear phishing attack against a government organization in Europe in late May 2016, which used a PowerPoint presentation file as the attack vector. The target was an employee working on Chinese policy research and the weaponized document contained a presentation on issues related to Chinese activity on the South China Sea.

The attack attempted to exploit the CVE-2014-4114 vulnerability that affects unpatched versions of Microsoft Office PowerPoint 2003 and 2007. The researchers discovered that the malicious code attempted to bypass UAC using code taken from an online forum, and that a second-stage attack was carried out once again using module built from code taken from various online forums and resources.

Using a deception campaign, the researchers lured the attackers into targeting a decoy system running in a virtual machine. Thus, they managed to gather data associated with the threat, to have a look at the stages of the attack, see all of the network traffic, and analyze the lateral movement of the threat actor. By gaining access to one of the actor’s command and control (C&C) servers, researchers found an abundance of PPS files and more malicious code packages.

According to Cymmetria’s report, the APT is a pro-Indian or an Indian entity, mainly because many of the primary targets of this campaign are regional neighbors of India. This is also suggested by the fact that other targets appear of interest if they are related to issues affecting India, but researchers say that conclusive was the analysis of time of day activity of the group (such as document editing, C&C activity and domain registrations).

Advertisement. Scroll to continue reading.

“The high degree of operational capacity stands in stark contradiction to the low technical ability displayed, which raises the question of whether the copy-paste nature of the threat was potentially intentional, perhaps an evolution of threat actors attempting to avoid the high cost of losing their expensive tool box and malware when they are eventually publically disclosed. This, however, seems unlikely, as the use of such second-hand code is consistent with their second stage toolset meant for persistence, which should typically be built to resist detection,” researchers note.

Cymmetria’s CEO Gadi Evron says that another threat actor might have made it look like an India-related group was behind these attacks and built a false flag operation to fit, but there is no evidence to support this claim. Given that India is a relatively quiet locale for cyber espionage activity, this pro-Indian threat actor, if indeed one, is noteworthy by itself, given the scope and scale of this operation, the researchers conclude.

Related: Dropping Elephant – A New and Growing Cyber Espionage Group

Related: Decade-old NetTraveler Malware Used in Multi-National Attacks

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...