Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
“Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own [remote access trojan], resulting in captured keystrokes and screenshots of their own computer and virtual machines,” Malwarebytes Threat Intelligence Team said in a report published on Friday.
Prominent victims that were successfully infiltrated include Pakistan’s Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and the Salim Habib University (SBU).
Believed to have been active since 2015, Patchwork APT is also tracked by the wider cybersecurity community under the monikers Dropping Elephant, Chinastrats (Kaspersky), Quilted Tiger (CrowdStrike), Monsoon (Forcepoint), Zinc Emerson, TG-4410 (SecureWorks), and APT-C-09 (Qihoo 360).
The espionage group, primarily known for striking diplomatic and government agencies in Pakistan, China, U.S. think tanks, and other targets located in the Indian subcontinent via spear-phishing campaigns, gets its name from the fact that most of the code used for its malware tooling was copied and pasted from various sources publicly available on the web.
images from Hacker News