Connect with us

Hi, what are you looking for?



Patchwork Cyberspies Target U.S. Think Tanks

The cyber-espionage group known as “Patchwork” has been launching cyberattacks directly against United States-based think tanks, Volexity reveals.

The cyber-espionage group known as “Patchwork” has been launching cyberattacks directly against United States-based think tanks, Volexity reveals.

Believed to be operating out of the Indian subcontinent and supposedly active since 2014, the threat group was previously observed targeting mainly government-associated organizations connected to Southeast Asia and the South China Sea.

After expanding its target list a couple of years ago, the group adopted new exploit techniques in late 2017, and also updated malware families in its arsenal earlier this year.  

Also referred to as Dropping Elephant, Patchwork has shown an increase in activity recently, and also started using unique tracking links in their phishing emails, to identify which recipients opened their messages, Volexity has discovered.

The security firm observed three spear-phishing campaigns launched by the group, “leveraging domains and themes mimicking those of well-known think tank organizations in the United States.” The actors used articles and themes from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS) as lures, along with malicious Rich Text Format (RTF) documents.

The attacks shared the use of email recipient tracking, a linked RTF document, and the final payload, but various elements in each campaign were different, Volexity reports.

In one attack, the actors also used a domain name similar to the Foreign Policy Research Institute (FPRI), in a message supposedly coming from CFR. The spear-phishing emails contained links to files featuring the .doc extension, but which were in fact RTF documents attempting to exploit CVE-2017-8750 and execute code via a malicious scriptlet file embedded in the document.

Advertisement. Scroll to continue reading.

The group apparently used publicly available exploit code from Github to deploy the freely available QuasarRAT.

Written in C#, the remote access tool (RAT) provides AES encryption of network communication, file management, the ability to download, upload, and execute files, keylogging, remote desktop access, remote webcam viewing, reverse proxy, and browser and FTP client password recovery, among other capabilities.

The malware achieves persistence by creating a scheduled task that points to the QuasarRAT binary (saved on disk as microsoft_network.exe). The scheduled task, named Microsoft_Security_Task, runs at 12:00 AM each day, then repeats every 5 minutes for 60 days.

When executed, the malware first attempts to determine the geographical location of the infected host, then starts beaconing over an encrypted connection to the command and control domain.

“The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted.
The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message,” Volexity notes.

Related: Patchwork Cyberspies Update the Badnews Backdoor

Related: Patchwork Cyberspies Adopt New Exploit Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...