Patchwork (G0040): A Persistent Indian Cyber Espionage Threat
- Suspected Origin
- India
- Motivation
- Espionage, Information Theft, Strategic Intelligence Gathering
- Aliases
- Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
- Target Sectors
- Government, Defense, Diplomatic, Academic, Aviation, Energy, Financial, IT, Media, NGOs, Pharmaceutical, Think Tanks
- Associated Malware
- BADNEWS RAT, VajraSpy, NDiskMonitor, xRAT, QuasarRAT, SocksBot, Protego, Brute Ratel, ArtraDownloader, AutoIt backdoor, PGoShell, TINYTYPHON, Taskhost Stealer, Wintel Stealer
Overview
Patchwork, also tracked as G0040, is a highly active cyber espionage group with strong indications of being a pro-Indian or Indian state-sponsored entity. While first formally observed in December 2015, some researchers suggest their activity may date back as early as 2009 or 2013. This group operates with the primary motivation of cyber espionage and information theft, focusing on gathering strategic intelligence rather than financial gain. Their targets are consistently high-value entities, including government, defense, and diplomatic organizations, as well as academic institutions and think tanks. Although initially concentrating on South and Southeast Asia, Patchwork has broadened its operational scope to include targets across Europe and North America.
The group’s operational approach is often characterized by leveraging publicly available code and tools, leading to its “Patchwork” moniker, implying a cobbled-together methodology rather than highly sophisticated, custom zero-day exploits. Despite this, Patchwork consistently demonstrates adaptive tactics, techniques, and procedures (TTPs), integrating new exploit methods and staying current with evolving cybersecurity landscapes.
Tactics & Techniques
Patchwork’s initial access heavily relies on carefully crafted spear-phishing campaigns. These often involve socially engineered emails containing malicious attachments or links, sometimes spoofing news sites or misusing legitimate newsletter distribution services to deliver weaponized documents. The group has also employed watering hole attacks, compromising legitimate websites frequented by their targets to serve fake software updates, such as a deceptive Adobe Flash Player update that delivered the xRAT Trojan. Recent campaigns have also utilized malicious LNK files disguised as conference invitations.
Upon gaining a foothold, Patchwork utilizes various execution techniques. They’ve exploited numerous Microsoft Office vulnerabilities (e.g., CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, CVE-2015-1641, CVE-2017-0261), often embedding malicious macros or abusing Dynamic Data Exchange (DDE) and Windows Script Components (SCT) to execute payloads. For persistence, Patchwork establishes scheduled tasks via PowerShell commands or adds payload files to the system’s startup folder, ensuring execution across reboots.
Defense evasion is a key focus for Patchwork. They employ obfuscation techniques, DLL side-loading (particularly with their BADNEWS backdoor), and bypass User Access Control (UAC). The group has been observed using publicly available PHP scripts to retrieve files without exposing their true paths and even temporarily removing or replacing malicious files on their command and control (C2) servers to mislead researchers. Patchwork also performs basic host-based discovery, collecting system information like computer name, OS version, architecture, username, and admin status, and scanning for installed antivirus solutions like “360 Total Security.” Their data collection typically involves file stealers designed to exfiltrate documents, including Microsoft Office files, PDFs, RTFs, and email messages. Collected data paths are encrypted with AES and then base64 encoded before being uploaded to C2 servers.
Notable Campaigns
Patchwork has a history of targeting specific regions and entities, reflecting their geopolitical intelligence objectives. In March and April 2018, they conducted spear-phishing campaigns explicitly targeting U.S. think tank groups. Around January 2021, the group was observed targeting China with a malicious document titled “Chinese_Pakistani_fighter_planes_play_war_games.docx,” leveraging a CVE-2017-0261 exploit.
More recently, since early 2025, Patchwork has initiated campaigns against Chinese universities, using lures related to power grids in China to deliver their Protego C# trojan. In July 2025, a geopolitically motivated spear-phishing campaign targeted Turkish defense contractors, including a precision-guided missile systems manufacturer, aligning with deepening defense cooperation between Pakistan and Türkiye amid India-Pakistan military tensions.
Perhaps one of their most widespread recent campaigns, identified in February 2024, involved abusing Google Play to distribute at least six Android applications, and another six via third-party stores. These apps, disguised as legitimate messaging and news services (e.g., Privee Talk, MeetMe), were loaded with the VajraSpy remote access Trojan (RAT). This campaign predominantly targeted Pakistani users, often employing honey-trap romance scams to entice victims into downloading the malware.
Associated Malware & Tools
Patchwork’s arsenal combines custom-developed malware with readily available open-source tools, reinforcing their “patchwork” operational style.
Custom Malware:
- BADNEWS RAT: A potent backdoor capable of extensive information stealing, file execution, and USB device monitoring.
- NDiskMonitor: A custom backdoor specifically designed to list files and logical drives on infected machines and download/execute files from specified URLs.
- VajraSpy: A sophisticated Android-targeted RAT that intercepts calls, SMS messages, files, contacts, and can extract WhatsApp and Signal messages, record phone calls, and capture images via the camera.
- Protego: A C# trojan identified in 2025, used to harvest a wide range of information from compromised Windows systems.
- File Stealers: Dedicated tools like Taskhost Stealer and Wintel Stealer, often developed in AutoIt, designed to target specific document types (Word, Excel, PowerPoint, PDF, RTF) and email messages.
Open-Source/Rehased Tools:
- xRAT: A remote access tool whose source code is publicly available on GitHub, allowing for easy customization and deployment.
- QuasarRAT: Another open-source remote access tool known to be adopted by the group.
- SocksBot: A tool used to establish SOCKS proxies, capture screenshots, and execute various scripts and executables.
- Brute Ratel C4: A red-teaming framework observed in use during a 2024 campaign targeting entities with ties to Bhutan. Other tools include AndroRAT, ArtraDownloader, Bozok, Crypta, LokiBot, PGoShell, PowerSploit, PubFantacy, Ragnatela, TINYTYPHON, and WSCSPL.
Current Status
Patchwork remains a highly active and evolving threat actor. Reports from February 2024 detail their extensive use of the VajraSpy Android RAT, distributed through Google Play and third-party app stores, primarily targeting Pakistani users. Further activity in early 2025 saw them targeting Chinese universities with power grid-related lures and deploying the Protego C# trojan. Most recently, in July and October 2025, the group was observed conducting spear-phishing campaigns against Turkish defense firms and employing PowerShell commands to establish persistence, demonstrating continuous adaptation and an expanded targeting footprint. These consistent and diverse operations underscore Patchwork’s ongoing commitment to cyber espionage and its capability to develop and deploy new attack vectors and malware strains.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call