Trusted Design

Untangling the Patchwork Cyberespionage Group

概要

Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork’s moniker is from its notoriety for rehashing off-the-rack tools and malware for its own campaigns. The attack vectors they use may not be groundbreaking—what with other groups exploiting zero-days or adjusting their tactics—but the group’s repertoire of infection vectors and payloads makes them a credible threat. We trailed Patchwork’s activities over the course of its campaigns in 2017. The diversity of their methods is notable—from the social engineering hooks, attack chains, and backdoors they deployed. They’ve also joined the Dynamic Data Exchange (DDE) and Windows Script Component (SCT) abuse bandwagons and started exploiting recently reported vulnerabilities. These imply they’re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attem

Created: 2026-02-23

Indicators

• domain - rannd.org -
• FileHash-SHA256 - 48b68a5ab219d7917dbe818e00ddbae889cf8655faf02639e4a3fbe4e46ef9b2 -
• domain - randreports.org -
• FileHash-SHA256 - f24546590ad97b60b3c99a0bcacea4e405ba3884b57393ecf47b3463c8936a45 -
• domain - googlmail.cloud -
• FileHash-SHA256 - 90218e24be373a8a8a3452d5da59d551a3b1936e7c3210cc9cb83995be3d2030 -
• domain - ifenngnews.com -
• FileHash-SHA256 - 0c09c662699c507c553317a909665952562bd7e2434c4a719470f672bdada700 -
• FileHash-SHA256 - 889f1f6873a090162356109f0f3984c044094ea789028ec3e20ba2238d269160 -
• CVE - CVE-2017-8570 -
• domain - militaryreviews.net -
• domain - bdarmy.news -
• domain - yahoomail.support -
• FileHash-SHA256 - 10112aab7bc43c9c138aad9b75ed6a69d7305ea2f04b5cfaa14ecfcddfaa4c7a -
• FileHash-SHA256 - 5f45f9238f17e140b65af93ae072256468c377a39fe0b637fe0c3527627a612c -
• domain - gloalfirepower.org -
• FileHash-SHA256 - 47e0886ba064156d7914db02dec46fa8f497b20373c7f2d4bc8f3f13bd8fa455 -
• FileHash-SHA256 - ae5ecf3889c4bb1838cca1b644c16cb32e815fc1e2fd0db96aa6ca6fffbf30b6 -
• FileHash-SHA256 - d9cdaa649b7ca7b9f61121d269801dbbd68551488c8423ae3a3e95233d6ee99d -
• FileHash-SHA256 - 684523927a468ed5abea8f6c0d3dc01210ec38aa4e0a533abc75dc891d3b0400 -
• FileHash-SHA256 - 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b -
• domain - euuwebmail.com -
• domain - loweinstitute.org -
• domain - sinodefence.info -
• CVE - CVE-2012-1856 -
• FileHash-SHA256 - 72d71b91ceb7dda82db0ec8ca3aba476d01b1011057ae71425e34fa31af2ee6b -
• FileHash-SHA256 - 3dd9814aeae5530e514915c6f73125188a692d0df2e56788c4302cb63d406e03 -
• domain - servicelogin.support -
• domain - zhiihua.org -
• FileHash-SHA256 - dfe0e2cad843ee66f7bad85e62accb76ae54993eb057041e6f81315a3c99d522 -
• domain - zhouangjiabing.com -
• FileHash-SHA256 - f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a -
• domain - servicelogin.center -
• FileHash-SHA256 - e80a97b02bf9c43b8d288097caa38ab85a03ec1f8dbbc7cced1198274f60f6f6 -
• FileHash-SHA256 - 6535696186395b02608f16d86ce9b918e45012a217c11352b9d2904bf6a30c6c -
• domain - cnaas.org -
• FileHash-SHA256 - 801b101bc935ae3c4a8b9bf964ddc30fc5132da2271a23b9727f2b78187c62b4 -
• FileHash-SHA256 - f2c6effbbb203d5889f75b7d445f1a0f73c479e4a977fd7da3bd923f5b827762 -
• CVE - CVE-2017-0199 -
• FileHash-SHA256 - 145551d6ad9f6e6d825393342561407f9f663a43471bb1738f741addf4dd6d82 -
• domain - qzonecn.com -
• domain - invitingholes.com -
• domain - neteease.com -
• FileHash-SHA256 - 34399b371c44e52dbd17c6b4e46619f7c7131af20f66fd7a2c7f92c081d78276 -
• FileHash-SHA256 - 7317867ee5207f6b7195930d0ec3938130cbd2dc00adc8ba0cd3eca7114f4b26 -
• domain - scitechtrends.com -
• CVE - CVE-2015-1641 -
• FileHash-SHA256 - 283e3e8a651b87e055944e9b132f087f88181331bec1194f354eccf085d1bfe2 -
• FileHash-SHA256 - 7d6fa3046a4e558b2ef40ae0a96001a50eb3fcaed9b00e4d7bd235d1d83be01a -
• FileHash-SHA256 - 667992e8c195664ad87fed3e715f0a52efe79a7c83f67d031c3a1affc6411e5f -
• FileHash-SHA256 - cf7adf8ed9b779e62f603a2f23af72671eb331e79586c46b75bd95644a62039a -
• FileHash-SHA256 - 8a6a2027099e8a4d68f4c9931a8050b89aa587f8de47244af4ff399dfc0930a2 -
• FileHash-SHA256 - b43bd22295f8287e5f8126712f0db11afe8b2bdaf918ed361c0d0865125a585b -
• domain - dwnnews.net -
• FileHash-SHA256 - a0c9b6a77dd3e6738a9f5c1a6704adeef904831d29392cf2c24a5628afecf563 -
• domain - sinamilnews.com -
• domain - brokings.org -
• domain - tecchweb.com -
• FileHash-SHA256 - e5af968a8eca77ac64862db3f6c92d7d64db24a999d0ded30f272f2a220cdb70 -
• domain - stripshowsclub.com -
• FileHash-SHA256 - ab608d1adb169040b6fad2029ae56c07fa8d45ee9e03f4b9dfebce2b7d92b1d4 -
• domain - militarypeoplecn.com -
• domain - googlemail.support -
• domain - iisdp.org -
• FileHash-SHA256 - a6abfb56c25c06c5c12c08a8098f427fd0da11c5930a02ebb51ebc117ff63b1a -
• FileHash-SHA256 - de22772c655890a73c7fe13d6cff49b1a560d19df04271e4bc3adcd5402158c9 -
• FileHash-SHA256 - bf94a8f82f9b3ec1ad36be72a27813a661654bc5215559bf10b9eddfd49021b4 -
• FileHash-SHA256 - ab70ef16e625291df6dc33903ec23dbc7b505c25e2e894bfbfd0110550d7664e -
• FileHash-SHA256 - d0d63189a28406914d9d49e8164dc716326f849cd35195ad56bb7e7ea0196ad8 -
• FileHash-SHA256 - bc8e469ac8515a23a3073a41099fde8420b8a40bb71abaf965c9031bd0a084e3 -
• FileHash-SHA256 - 4fbfc64623700615410ec2caba6b931494990e1c0b210d76819edc95a8d1d8b4 -
• FileHash-SHA256 - 647b7a619b3ef6fa76b3e710a3f20b78a0a8ab6299b9245a893052d7b94b62fa -
• CVE - CVE-2014-4114 -
• FileHash-SHA256 - c1227e575553f06fca469d43d02eda006033e5d88acb9b516f5ba64c030772b1 -

類似Pulses

• A Look Into Fysbis: Sofacy’s Linux Backdoor (score: 0.64)
• BBSRAT Attacks Targeting Russian Organizations (score: 0.63)
• Threat Group-3390 Targets Organizations for Cyberespionage (score: 0.63)
• New Targeted Attack Group Buys BIFROSE Code, Works in Teams (score: 0.63)
• Tick cyberespionage group zeros in on Japan (score: 0.62)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る