India🇮🇳 IN11 malware familiesExploits CVEs in the wild

Patchwork

Also known asapt_c_09ChinastratsDropping ElephantHangover GroupMONSOONOperation HangoverPatchworkQUILTED TIGERzinc_emerson

Patchwork is an espionage threat actor also referred to as APT-C-09, Chinastrats, Dropping Elephant, Hangover Group, Monsoon, Operation Hangover, Quilted Tiger, and Zinc Emerson. The provided content links Patchwork to Indian interests: one source states that Phronesis Partners, co-founded by retired Indian military cyber specialists, has been linked to Monsoon and Patchwork campaigns, and other reporting cited in the content describes Operation Hangover as involving surveillance against targets of interest to Indian national security and industrial espionage. The actor is described as using spearphishing and malicious documents for initial access and execution, including embedding malicious macros in Word documents and luring victims to click icons to execute malware. Rapid7 attributed a renewed Dropping Elephant campaign to this actor, using a China-themed decoy and a malicious LNK file that launched PowerShell to stage malware, abused Fondue.exe for DLL side-loading of APPWIZ.cpl, decrypted additional payloads, and loaded a memory-resident RAT. Reported capabilities in that campaign included anti-analysis checks, AMSI/WLDP/ETW patching, HTTPS command and control, Base64-encoded and Salsa20-protected traffic, scheduled-task persistence via GoogleErrorReport, command execution, screenshot capture, file upload/download, and shell execution. Across the provided content, Patchwork is also described as conducting file and drive enumeration, searching fixed drives and C:\ for files with targeted extensions, copying targeted files to an index directory for upload, collecting and exfiltrating files, collecting the victim username and whether the process had administrative privileges, and dumping Chrome Login Data from the default Google Chrome profile path. Persistence methods mentioned include adding second-stage malware to the Startup folder and using a Registry Run key. The actor has also used JavaScript, .SCT files, and Meterpreter reverse shells. ESET attributed with high confidence a VajraSpy Android espionage campaign to Patchwork. In that activity, 12 trojanized Android apps, including apps distributed through Google Play, were used for targeted espionage primarily against users in Pakistan. Reported VajraSpy capabilities included theft of contacts, SMS messages, call logs, files, location data, installed app lists, and notifications; more advanced variants could intercept WhatsApp, WhatsApp Business, and Signal communications, record calls and ambient audio, log keystrokes, and take photos.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇨🇳 China

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

53 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics73 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

3 techniques

T1189

Drive-by Compromise

T1190

Exploit Public-Facing Application

T1566

Phishing

T1566.001×2

Spearphishing Attachment

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.003×3

Windows Command Shell

T1059.005

Visual Basic

T1059.007×3

JavaScript

T1204

User Execution

T1204.002×3

Malicious File

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1112×2

Modify Registry

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0005

Stealth

6 techniques

T1027×3

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036

Masquerading

T1036.004

Masquerade Task or Service

T1036.005

Match Legitimate Resource Name or Location

T1070×2

Indicator Removal

T1070.004×4

File Deletion

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1620×2

Reflective Code Loading

T1622

Debugger Evasion

TA0112

Defense Impairment

2 techniques

T1112×2

Modify Registry

T1553

Subvert Trust Controls

T1553.002

Code Signing

TA0006

Credential Access

3 techniques

T1056

Input Capture

T1056.001

Keylogging

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

TA0007

Discovery

9 techniques

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1057×2

Process Discovery

T1069

Permission Groups Discovery

T1082×4

System Information Discovery

T1083×4

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1614

System Location Discovery

T1622

Debugger Evasion

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

TA0009

Collection

7 techniques

T1005×5

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1074

Data Staged

T1113×3

Screen Capture

T1115

Clipboard Data

T1119×2

Automated Collection

T1560

Archive Collected Data

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001×3

Web Protocols

T1105×3

Ingress Tool Transfer

T1132×3

Data Encoding

T1132.001

Standard Encoding

T1219

Remote Access Tools

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0010

Exfiltration

2 techniques

T1041×3

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

ARSENAL

Associated malware families

11 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

AutoIt“Once the payload is executed, an UPX packed AutoIT executable is dropped... the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside.”1Mar 18, 2026

BeEF“...open source toolset dependency with meterpreter and BeEF...”1Mar 18, 2026

Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026

DonutThe loader decrypts an AES-wrapped payload stored on disk. The decrypted payload contains a Donut shellcode loader that embeds the final RAT and uses Chaskey block cipher as part of its payload protection scheme. Donut then decrypts the final 32-bit native RAT, maps it, and executes it in memory.1Jun 23, 2026

Meterpreter“...open source toolset dependency with meterpreter and BeEF...”1Mar 18, 2026

6 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

9 CVEs this actor has used in observed campaigns. 9 of them exploited in the wild.

CVE-2012-0158MSCOMCTL.OCX ActiveX Controls Remote Code ExecutionIn the wildEvidence2

...has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158...

CVE-2012-1856MSCOMCTL.OCX TabStrip ActiveX Remote Code Execution VulnerabilityIn the wildEvidence2

Patchwork... previously exploited CVE-2017-8570, CVE-2012-1856...

CVE-2014-4114Sandworm Windows OLE Package Manager Remote Code ExecutionIn the wildEvidence2

...exploited Microsoft vulnerabilities, including CVE-2014-4114...

CVE-2015-1641Microsoft Office RTF Memory Corruption RCEIn the wildEvidence2

APT41 leveraged the follow exploits... CVE-2015-1641...

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityIn the wildEvidence2

...used exploits for... Word (CVE-2017-0199)...

4 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

1,034 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1,034 IOCsView more in app

Domains

616 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+608

ip.v4

241 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+233

hash.md5

145 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+137

uri

21 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+13

hash.sha256

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cyber security newsNews

Jun 23, 2026

Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign

Conducting a refined malware campaign using a China-themed lure, malicious LNK files, PowerShell downloaders, DLL side-loading, and an in-memory RAT with persistence via a scheduled task.

rapid7 blogNews

Jun 17, 2026

Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain

Conducting a malware campaign using a China-themed lure, PowerShell staging, scheduled task persistence, DLL side-loading via Fondue.exe, and an in-memory RAT delivered through Donut shellcode with hardened HTTPS C2 and anti-analysis features.

splunk researchNews

Jun 14, 2026

Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

acronisNews

Jun 10, 2026

Behind Khmer Shadow: Targeted espionage against Cambodian government entities

Referenced as a group previously observed using vmtools.dll as a sideloading target.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping53

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal11

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs9

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1,034

Domains, IPs, and hashes tied to this actor, refreshed continuously.