| Category | Details |
|---|---|
| Threat Actors | Patchwork APT (also known as Dropping Elephant, Quilted Tiger, Viceroy Tiger); believed to be Indian-based cyber espionage group active since 2009. |
| Campaign Overview | Focused on cyber espionage against government, defense, and diplomatic organizations using spear phishing, watering hole attacks, and malware like BADNEWS RAT and VajraSpy. |
| Target Regions (Victims) | South and Southeast Asia, Europe, North America, particularly Pakistan, Sri Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the US. Targeted sectors include aviation, defense, energy, financial, government, IT, media, NGOs, pharmaceutical, and think tanks. |
| Methodology | – Spear phishing with malicious attachments or links. – Watering hole attacks by compromising legitimate websites. – Exploiting vulnerabilities (e.g., CVE-2017-0261) for malware delivery. – Use of honey-trap romance scams for Android targeting. |
| Product Targeted | Government systems, diplomatic entities, Android devices (via VajraSpy RAT), and sectors involved in Chinese foreign relations or geopolitical matters. |
| Malware Reference | BADNEWS RAT, VajraSpy RAT. |
| Tools Used | Custom malware, spear phishing payloads, watering hole techniques, remote access trojans (RATs), malicious Android apps. |
| Vulnerabilities Exploited | – CVE-2017-0261 (remote code execution in Microsoft documents). – Vulnerabilities in Android (used for VajraSpy payloads). |
| TTPs | – Targeting diplomats, academics, and think tanks. – Using phishing, social engineering, and watering hole attacks. – Deploying malware like VajraSpy via fake apps. – Data exfiltration through Firebase C&C servers. – Persistent access via privilege escalation. |
| Attribution | SideWinder APT attributed based on overlap in C&C infrastructure and historical targeting of geopolitical adversaries. |
| Recommendations | – Apply patches for known vulnerabilities. – Use email filtering and multi-factor authentication. – Implement endpoint security and network segmentation. – Provide user awareness training. – Regularly test incident response plans. – Limit app permissions. |
| Source | SOCRadar |
Read full article: https://socradar.io/dark-web-profile-patchwork-apt/
The above summary has been generated by an AI language model
Related posts:
Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware
North Korea allegedly targeting crypto businesses with Mac-focused malware
Threat Actor Abuses Gophish to Deliver New PowerRAT and DCRAT
T-Mobile rebuffed breach attempts by hackers likely connected to China’s Salt Typhoon
Leave a Reply