Patchwork
G00402 reportsAnalyst assessment — key judgments
- Signature techniques: T1053.005 (Scheduled Task), T1113 (Screen Capture), T1132.001 (Standard Encoding).
- Primary targeting: US, CN, SG, IN.
- Newly emerged: 2 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 36 new technique(s), 23 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 28% of 36 observed techniques (26 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
ATT&CK technique matrix
- T1053.005 · Scheduled Taskconf 601
- T1113 · Screen Captureconf 601
- T1132.001 · Standard Encodingconf 601
- T1036.005 · Match Legitimate Resource Name or Locationconf 601
- T1204.002 · Malicious Fileconf 601
- T1573.001 · Symmetric Cryptographyconf 601
- T1497.001 · System Checksconf 601
- T1566.001 · Spearphishing Attachmentconf 601
- T1082 · System Information Discoveryconf 601
- T1071 · Application Layer Protocolconf 601
- T1053 · Scheduled Task/Jobconf 601
- T1005 · Data from Local Systemconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|