Threat Actor Profile
High APT
Description

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

Confidence Score
90%
Known Aliases
Patchwork Hangover Group Dropping Elephant Chinastrats MONSOON Operation Hangover
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (41)
T1005 - Data from Local System
Collection
T1074.001 - Local Data Staging
Collection
T1119 - Automated Collection
Collection
T1560 - Archive Collected Data
Collection
T1102.001 - Dead Drop Resolver
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.001 - Binary Padding
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1027.005 - Indicator Removal from Tools
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055.012 - Process Hollowing
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1197 - BITS Jobs
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1189 - Drive-by Compromise
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1548.002 - Bypass User Account Control
Privilege Escalation
T1598.003 - Spearphishing Link
Reconnaissance
T1587.002 - Code Signing Certificates
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Patchwork',
             'Hangover Group',
             'Dropping Elephant',
             'Chinastrats',
             'MONSOON',
             'Operation Hangover'],
 'created': '2017-05-31T21:32:07.145Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber '
                'espionage group that was first observed in December 2015. '
                'While the group has not been definitively attributed, '
                'circumstantial evidence suggests the group may be a '
                'pro-Indian or Indian entity. '
                '[Patchwork](https://attack.mitre.org/groups/G0040) has been '
                'seen targeting industries related to diplomatic and '
                'government agencies. Much of the code used by this group was '
                'copied and pasted from online forums. '
                '[Patchwork](https://attack.mitre.org/groups/G0040) was also '
                'seen operating spearphishing campaigns targeting U.S. think '
                'tank groups in March and April of 2018.(Citation: Cymmetria '
                'Patchwork) (Citation: Symantec Patchwork)(Citation: '
                'TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork '
                'June 2018)',
 'external_references': [{'external_id': 'G0040',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0040'},
                         {'description': '(Citation: Cymmetria Patchwork) '
                                         '(Citation: Symantec Patchwork) '
                                         '(Citation: Securelist Dropping '
                                         'Elephant) (Citation: PaloAlto '
                                         'Patchwork Mar 2018) (Citation: '
                                         'Volexity Patchwork June 2018)',
                          'source_name': 'Patchwork'},
                         {'description': '(Citation: Securelist Dropping '
                                         'Elephant)',
                          'source_name': 'Chinastrats'},
                         {'description': '(Citation: Symantec Patchwork) '
                                         '(Citation: Securelist Dropping '
                                         'Elephant) (Citation: PaloAlto '
                                         'Patchwork Mar 2018) (Citation: '
                                         'Volexity Patchwork June 2018)',
                          'source_name': 'Dropping Elephant'},
                         {'description': '[Patchwork](https://attack.mitre.org/groups/G0040) '
                                         'and the Hangover Group have both '
                                         'been referenced as aliases for the '
                                         'threat group associated with '
                                         'Operation Monsoon.(Citation: '
                                         'PaloAlto Patchwork Mar '
                                         '2018)(Citation: Unit 42 BackConfig '
                                         'May 2020)(Citation: Forcepoint '
                                         'Monsoon)',
                          'source_name': 'Hangover Group'},
                         {'description': 'Cymmetria. (2016). Unveiling '
                                         'Patchwork - The Copy-Paste APT. '
                                         'Retrieved November 17, 2024.',
                          'source_name': 'Cymmetria Patchwork',
                          'url': 'https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf'},
                         {'description': 'Fagerland, S., et al. (2013, May). '
                                         'Operation Hangover: Unveiling an '
                                         'Indian Cyberattack Infrastructure. '
                                         'Retrieved November 17, 2024.',
                          'source_name': 'Operation Hangover May 2013',
                          'url': 'https://web.archive.org/web/20140424084220/http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf'},
                         {'description': 'Hamada, J.. (2016, July 25). '
                                         'Patchwork cyberespionage group '
                                         'expands targets from governments to '
                                         'wide range of industries. Retrieved '
                                         'August 17, 2016.',
                          'source_name': 'Symantec Patchwork',
                          'url': 'http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries'},
                         {'description': 'Hinchliffe, A. and Falcone, R. '
                                         '(2020, May 11). Updated BackConfig '
                                         'Malware Targeting Government and '
                                         'Military Organizations in South '
                                         'Asia. Retrieved June 17, 2020.',
                          'source_name': 'Unit 42 BackConfig May 2020',
                          'url': 'https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/'},
                         {'description': 'It is believed that the actors '
                                         'behind '
                                         '[Patchwork](https://attack.mitre.org/groups/G0040) '
                                         'are the same actors behind Operation '
                                         'Hangover. (Citation: Forcepoint '
                                         'Monsoon) (Citation: Operation '
                                         'Hangover May 2013)',
                          'source_name': 'Operation Hangover'},
                         {'description': "Kaspersky Lab's Global Research & "
                                         'Analysis Team. (2016, July 8). The '
                                         'Dropping Elephant – aggressive '
                                         'cyber-espionage in the Asian region. '
                                         'Retrieved August 3, 2016.',
                          'source_name': 'Securelist Dropping Elephant',
                          'url': 'https://securelist.com/the-dropping-elephant-actor/75328/'},
                         {'description': 'Levene, B. et al.. (2018, March 7). '
                                         'Patchwork Continues to Deliver '
                                         'BADNEWS to the Indian Subcontinent. '
                                         'Retrieved March 31, 2018.',
                          'source_name': 'PaloAlto Patchwork Mar 2018',
                          'url': 'https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/'},
                         {'description': 'Lunghi, D., et al. (2017, December). '
                                         'Untangling the Patchwork '
                                         'Cyberespionage Group. Retrieved July '
                                         '10, 2018.',
                          'source_name': 'TrendMicro Patchwork Dec 2017',
                          'url': 'https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf'},
                         {'description': 'Meltzer, M, et al. (2018, June 07). '
                                         'Patchwork APT Group Targets US Think '
                                         'Tanks. Retrieved July 16, 2018.',
                          'source_name': 'Volexity Patchwork June 2018',
                          'url': 'https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/'},
                         {'description': 'MONSOON is the name of an espionage '
                                         'campaign; we use it here to refer to '
                                         'the actor group behind the campaign. '
                                         '(Citation: Forcepoint Monsoon) '
                                         '(Citation: PaloAlto Patchwork Mar '
                                         '2018)',
                          'source_name': 'MONSOON'},
                         {'description': 'Settle, A., et al. (2016, August 8). '
                                         'MONSOON - Analysis Of An APT '
                                         'Campaign. Retrieved September 22, '
                                         '2016.',
                          'source_name': 'Forcepoint Monsoon',
                          'url': 'https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf'}],
 'id': 'intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0',
 'modified': '2025-10-21T23:13:16.458Z',
 'name': 'Patchwork',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.6'}
Quick Actions
Related TTPs (41)
Data from Local System
Collection
Local Data Staging
Collection
Automated Collection
Collection
Archive Collected Data
Collection
Dead Drop Resolver
Command and Control
View All 41 TTPs
Back to Threat Actors
Dashboard Home