patchwork-dropping-elephant

Patchwork / Dropping Elephant

also known as: APT-C-09 APT-Q-36 Quilted Tiger Chinastrats Monsoon Orange Athos Thirsty Gemini Zinc Emerson G0040

India's primary assessed offensive cyber unit, named "Patchwork" by researchers for its habit of copy-pasting code from online forums — a development style that leaves distinctive fingerprints. Focused on espionage against Pakistan, China, and an expanding list of defense and diplomatic targets worldwide, the group has been continuously operational since at least 2009 and continues to evolve its toolset as recently as July 2025.

attributed origin India (state-linked, assessed)

suspected sponsor Government of India

first observed 2009 (public disclosure 2015)

primary motivation Espionage / Intelligence Collection

primary targets Government, Defense, Diplomatic, Academic

known campaigns 10+ confirmed

mitre att&ck group G0040

target regions South Asia, Southeast Asia, Middle East, Europe, US

threat level High

Overview

Patchwork, also tracked as Dropping Elephant and Quilted Tiger, is a cyber espionage actor assessed with high confidence to originate from India. The group was first publicly identified in December 2015 — independently by Kaspersky Lab, who called it Dropping Elephant, and by Cymmetria, who coined the name Patchwork to describe the group's practice of assembling malware from code fragments copied wholesale from public online forums and developer communities. Despite this assembly-line approach to development, the group has maintained persistent operations for over a decade and continues to update its tradecraft in response to public disclosure.

Infrastructure analysis and campaign timing consistently correlate with Indian geopolitical interests. Operations concentrate on entities connected to China's foreign relations, Pakistan's military and government apparatus, and — more recently — defense contractors in countries deepening ties with Pakistan. The group's targeting reflects awareness of geopolitical developments: campaigns have followed shifts in regional alliances, military cooperation agreements, and border disputes with a pattern that suggests tasking from an intelligence organization rather than opportunistic criminal activity.

In early 2022, a critical operational security failure exposed the group's actual targets when an operator infected their own development machine with the Ragnatela variant of BADNEWS RAT, revealing victim lists that included Pakistan's Ministry of Defense, National Defence University of Islamabad, and several biological sciences research institutions. This incident confirmed the espionage focus and provided rare visibility into the group's collection priorities.

active campaign — july 2025

As of July 2025, Arctic Wolf confirmed Dropping Elephant is actively targeting Turkish defense contractors specializing in precision-guided missile systems, using a five-stage LNK-based infection chain leveraging VLC Media Player DLL side-loading and Microsoft Task Scheduler for persistence. Infrastructure preparation for this campaign began in June 2025. The operation is assessed as geopolitically motivated, timed to coincide with the India-Pakistan military tensions and deepening Turkey-Pakistan defense cooperation.

Target Profile

Patchwork's target selection has broadened significantly since its initial focus on China-linked diplomatic targets. The group now consistently pursues government, military, and defense industrial targets across a wide geographic range, with particular interest in organizations that intersect with Pakistan's defense relationships.

Government and diplomatic entities: The group's original and sustained focus. Targets have included ministries, embassies, and national security institutions in Pakistan, China, Bangladesh, and countries with active ties to Chinese foreign policy.
Defense and military: Pakistani military institutions — including the National Defence University of Islamabad and the Ministry of Defense — are confirmed targets. Turkish precision-guided missile manufacturers were actively targeted in July 2025. The group tracks military cooperation agreements and adjusts targeting accordingly.
Academic and research institutions: Life sciences, biological sciences, and molecular medicine institutions in Pakistan have been targeted for intellectual property theft alongside credential harvesting.
Think tanks and policy organizations: US-based think tanks including organizations mimicking CFR, CSIS, and MERICS were targeted in 2018 spear-phishing campaigns. The group uses policy content as social engineering bait.
Individuals via mobile platforms: VajraSpy campaigns distributed through romance-scam honey-trap operations targeted Pakistani individuals on Android devices, using apps disguised as messaging tools distributed via Google Play and third-party platforms.
Aviation, energy, pharmaceutical, and NGO sectors: Symantec documented broader targeting across these sectors, particularly in the United States and United Kingdom, with approximately half of observed attacks directed at US-based entities at peak activity periods.

Tactics, Techniques & Procedures

Patchwork relies heavily on social engineering as its primary entry vector, supplemented by a steadily evolving post-exploitation toolkit. The group demonstrates geopolitical awareness in its lure construction and has progressively improved operational security following each public disclosure of its infrastructure.

mitre id	technique	description
T1566.001	Spear-Phishing Attachment	Primary initial access vector. Phishing emails carry malicious RTF documents, weaponized Office files, or LNK shortcut files tailored to the target's interests and role.
T1566.002	Spear-Phishing Link	Newsletters distributed via legitimate mailing list providers link to attacker-controlled domains. Tracking pixels in emails identify which recipients opened the message before delivering payloads.
T1189	Drive-by Compromise / Watering Hole	The group compromises or impersonates websites known to be frequented by target populations, delivering malware through browser-based exploit code to visitors.
T1203	Exploitation for Client Execution	Documented exploitation of CVE-2012-0158, CVE-2014-6352, CVE-2017-0261, and CVE-2017-8570 (Composite Moniker) in Microsoft Office products to execute payloads from weaponized documents.
T1059.001	PowerShell	In the 2025 Turkish defense campaign, LNK files invoke PowerShell to fetch second-stage payloads from attacker-controlled C2 infrastructure. PowerShell is executed with progress indicators suppressed to remain stealthy.
T1574.002	DLL Side-Loading	The July 2025 campaign abuses VLC Media Player to side-load malicious DLL files, leveraging user trust in familiar legitimate software to bypass detection controls.
T1053.005	Scheduled Task / Job	Persistence achieved via Windows scheduled tasks. In documented campaigns, a task named Microsoft_Security_Task ran the RAT payload daily at midnight and repeated every five minutes for 60 days.
T1071.001	Application Layer Protocol: Web Protocols	BADNEWS RAT communicates over HTTP and uniquely uses RSS feeds, public forums, and blogs as command-and-control channels, blending C2 traffic with legitimate web activity.
T1113	Screen Capture	BADNEWS and its Ragnatela variant capture screenshots of compromised systems for exfiltration alongside keylogging, file listing, and credential harvesting.
T1036.005	Masquerading: Match Legitimate Name or Location	Payloads and scheduled tasks use names mimicking legitimate Windows components. C2 infrastructure impersonates legitimate websites. In 2025, a conference invitation PDF lure mimicked a real ICUVS 2025 conference site.
T1027	Obfuscated Files or Information	Multi-layer obfuscation observed in recent campaigns. The DarkSamural false-flag operation used GrimResource to execute obfuscated JScript, which fetched additional obfuscated JavaScript containing two obfuscation layers.
T1591	Gather Victim Organization Information	Campaigns include email tracking links that identify which recipients opened phishing messages, their operating system, and mail client — used to profile susceptible targets before payload delivery.

Known Campaigns

Confirmed or highly attributed operations linked to Patchwork / Dropping Elephant across a documented operational history spanning over a decade.

Operation Monsoon / Initial Disclosure 2015–2016

First publicly documented activity period. Kaspersky Lab named the actor Dropping Elephant after observing targeted spear-phishing using Chinese-themed content and weaponized Office documents exploiting CVE-2012-0158 and CVE-2014-6352. Targets were government and diplomatic entities connected to China's foreign policy. Cymmetria's concurrent report coined the Patchwork name based on the group's copy-paste development methodology. Symantec subsequently documented expansion into aviation, broadcasting, energy, pharmaceutical, and NGO sectors, with roughly half of observed attacks targeting US entities.

Indian Subcontinent BADNEWS Campaigns 2017–2018

Palo Alto Networks documented sustained campaigns delivering BADNEWS RAT across the Indian subcontinent via weaponized RTF documents. The group impersonated Pakistani government and military bodies, exploiting CVE-2017-0261 in Microsoft Office Equation Editor. BADNEWS communicated via RSS feeds, forums, and blogs as covert C2 channels. Trend Micro and 360 Threat Intelligence Center reported parallel targeting of Chinese organizations during this period.

US Think Tank Targeting 2018

Volexity identified three spear-phishing campaigns in March and April 2018 targeting US-based think tanks including entities impersonating CFR, CSIS, MERICS, and FPRI. Lures were RTF documents exploiting CVE-2017-8570 (Composite Moniker) to drop QuasarRAT, which established persistence via a scheduled task named Microsoft_Security_Task. The group also embedded email tracking pixels to identify which recipients opened phishing messages — a technique borrowed from commercial marketing platforms.

Ragnatela / Pakistani Ministry Targeting 2021–2022

Malwarebytes documented a campaign deploying Ragnatela, a new BADNEWS variant, through RTF documents impersonating Pakistan's Defence Officers Housing Authority in Karachi. The payload exploited Microsoft Equation Editor to enable arbitrary command execution, keylogging, screenshot capture, file upload and download, and secondary payload staging. A critical operational security failure during this campaign infected an operator's development machine with Ragnatela, revealing victim lists including Pakistan's Ministry of Defense, National Defence University of Islamabad, and biological sciences institutions — providing rare direct visibility into the group's collection requirements.

VajraSpy Android Espionage Campaign 2022–2023

ESET uncovered twelve Android applications bundled with VajraSpy, a remote access trojan targeting Pakistani individuals. Six apps were distributed via Google Play; six via third-party platforms. Apps were disguised as messaging tools and delivered through honey-trap romance scams. Firebase Hosting served as C2 infrastructure. Exfiltrated data included contacts, messages, call records, and files. The campaign demonstrated Patchwork's capability to conduct mobile espionage operations alongside traditional desktop-focused intrusions.

Chinese University Targeting / Protego Loader 2025

From early 2025, Patchwork was linked to campaigns against Chinese universities using power grid-themed lures. Attacks delivered a Rust-based loader that decrypted and launched a C# trojan called Protego, harvesting a broad range of information from Windows systems. QiAnXin identified infrastructure overlaps between Patchwork and DoNot Team (APT-Q-38), suggesting potential operational connections between the two clusters. Knownsec 404 Team also documented Bhutan-focused attacks delivering Brute Ratel C4 and an updated version of the PGoShell backdoor in the preceding year.

Turkish Defense Industry Targeting 2025

Arctic Wolf's July 2025 report confirmed an active campaign against Turkish defense contractors manufacturing precision-guided missile systems. Infrastructure preparation began June 2025. The attack chain used malicious LNK files disguised as conference invitations for ICUVS 2025 in Istanbul, invoking PowerShell to fetch payloads from expouav[.]org, a domain registered June 25, 2025. A PDF decoy mimicked the legitimate ICUVS conference site while the five-stage execution chain ran silently. VLC Media Player DLL side-loading and Microsoft Task Scheduler achieved persistence. The campaign transitioned from x64 DLL variants observed in November 2024 to x86 PE executables with enhanced C2 command structures, representing a significant capability evolution. Timing correlated with heightened India-Pakistan military tensions and Turkish-Pakistani defense cooperation agreements.

Tools & Malware

Patchwork maintains a combination of custom-developed implants and commodity open-source tools, rotating between them across campaigns to complicate attribution and bypass signature-based detection.

BADNEWS RAT: The group's signature custom backdoor, named for its use of RSS feeds, public forums, and blogs as C2 channels. Provides full remote access including arbitrary command execution, keylogging, screenshot capture, file management, and secondary payload deployment. The Ragnatela variant (2022) added enhanced data staging capabilities.
VajraSpy: Android RAT distributed through trojanized messaging apps. Exfiltrates contacts, messages, call logs, and files. Used Firebase Hosting for C2. Deployed via honey-trap romance scam social engineering targeting Pakistani individuals on mobile platforms.
QuasarRAT: Open-source C# remote access tool used across multiple campaigns, including the 2018 US think tank operations. Deployed from RTF exploits and persisted via scheduled tasks with names mimicking legitimate Windows security processes.
Protego: A C# trojan delivered via a Rust-based loader in 2025 campaigns against Chinese universities. Performs broad information harvesting from compromised Windows systems. Loader uses power-grid themed social engineering lures.
PGoShell: Updated backdoor variant documented in Bhutan-focused operations. Deployed alongside commercial offensive tools.
Brute Ratel C4: Commercial adversary simulation framework observed in Bhutan-targeted campaigns, representing adoption of sophisticated off-the-shelf post-exploitation tooling alongside the group's custom implants.
AsyncRAT / Remcos RAT / Mythic: Additional commodity and commercial tools documented in the DarkSamural false-flag campaign, attributed to Patchwork following infrastructure correlation analysis. Used alongside NorthStarC2 for C2 variety and evasion.
Custom LNK loaders (2025): Multi-stage loaders delivered via Windows shortcut files, using PowerShell and LOLBAS techniques including VLC DLL side-loading and Microsoft Task Scheduler abuse. Represent an architectural shift from earlier DLL-based staging.

Indicators of Compromise

Publicly available IOCs from the July 2025 Turkish defense campaign. Verify currency before operational use.

warning

IOCs become stale after public disclosure as actors rotate infrastructure. These are provided for historical reference and threat hunting context. Cross-reference with live threat intel feeds before blocking production traffic.

indicators of compromise — 2025 turkish defense campaign

domain expouav[.]org

registered 2025-06-25 (registered ~2 months before active operations)

lure type Malicious LNK file — conference invitation theme (ICUVS 2025, Istanbul)

execution PowerShell → staged payload fetch → VLC DLL side-load → Task Scheduler persistence

domain (historical) tautiaos[.]com (2018 QuasarRAT C2 — 43.249.37.199)

Mitigation & Defense

Organizations in Patchwork's target profile — government, defense industrial base, diplomatic entities, and academic institutions — should prioritize the following controls based on the group's documented TTPs.

Email gateway hardening: Patchwork's primary entry vector is spear-phishing. Email security gateways should sandbox LNK files, RTF documents, and Office attachments before delivery. Block or quarantine emails containing LNK attachments outright in environments where they have no legitimate use case.
Disable or restrict PowerShell: Constrained language mode and application control policies (AppLocker, WDAC) reduce the group's ability to execute the PowerShell-based second-stage fetch that initiates their 2025 infection chain. Log all PowerShell execution via Script Block Logging.
DLL side-loading controls: Restrict write permissions in directories alongside trusted executables such as VLC Media Player. Monitor for unsigned DLLs loaded by known-good processes. Application whitelisting prevents side-loaded payloads from executing.
Scheduled task monitoring: Alert on scheduled task creation events (Event ID 4698) and review tasks with names mimicking Windows system processes. Patchwork consistently uses Task Scheduler for persistence.
Patch management — Office vulnerabilities: The group has exploited CVE-2012-0158, CVE-2014-6352, CVE-2017-0261, and CVE-2017-8570 across its history. Maintaining current Office patch levels removes a documented initial access pathway.
Mobile device management: For organizations whose staff have been targeted via Android espionage campaigns, enforce MDM policies restricting sideloading of applications from outside official app stores and deploy mobile threat defense solutions.
Network traffic analysis: BADNEWS RAT's use of RSS feeds and public forums as C2 channels is unusual and potentially detectable via content inspection. Monitor for unusual outbound HTTP patterns to public blogging and forum platforms from workstations that have no business reason for such traffic.
User awareness training: Patchwork's lures are geopolitically themed and targeted — conference invitations, government correspondence, policy documents relevant to the recipient's role. Train staff to verify unexpected document or invitation links through out-of-band channels before opening attachments.

analyst note

Attribution for Patchwork is assessed with high confidence based on consistent infrastructure patterns, development methodology, and campaign timing correlated with Indian geopolitical priorities. The group's copy-paste code development, while operationally unsophisticated, does not limit operational effectiveness — campaigns have successfully compromised high-value targets across more than a decade. QiAnXin's 2025 finding of infrastructure overlaps with DoNot Team (APT-Q-38) warrants continued monitoring for possible convergence or coordination between these two assessed Indian-origin clusters.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile