Patchwork Hackers Target Chinese Research Organizations with EyeShell Backdoor: Threat actors belonging to the Patchwork hacking crew have launched a targeted campaign against Chinese universities and research organizations, utilizing the EyeShell backdoor for their operations.
Patchwork, suspected to be affiliated with India, has a history of narrow-focused attacks, singling out Pakistan and China through custom implants like BADNEWS.
This news item sheds light on their cyber-espionage activities and tactical connections with other Indian-associated threat groups.
Key Takeaways to Patchwork Hackers Target Chinese Research Organizations with EyeShell Backdoor:
Table of Contents
- Patchwork hackers employ the EyeShell backdoor to target Chinese research organizations and universities.
- The hacking crew has tactical overlaps with other cyber-espionage groups connected to India.
- Patchwork’s past activities include using fictitious personas to lure victims into downloading malicious apps on social media platforms.
Targeted Cyber-Espionage Campaign with EyeShell
Patchwork hackers have recently been observed targeting Chinese research organizations and universities in a focused cyber espionage campaign. KnownSec 404 Team reports that the threat actors employed the EyeShell backdoor as part of their activities.
Patchwork: Operations and Suspected Affiliation
The hacking crew, known as Patchwork or Operation Hangover, is believed to operate on behalf of India.
Active since December 2015, Patchwork’s attack chains are highly selective, concentrating on Pakistan and China with customized implants like BADNEWS, distributed through spear-phishing and watering hole attacks.
Notably, Patchwork shares tactical similarities with other Indian-linked cyber-espionage groups, including SideWinder and the DoNot Team.
Social Engineering on Social Media Platforms
In a previous incident in May, Patchwork exploited rogue messaging apps on the Google Play Store to collect data from victims in countries like Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
The group used elaborate fictitious personas to trick users into clicking on malicious links and downloading harmful apps, showing a sophisticated social engineering approach.
EyeShell Backdoor and Malicious Capabilities
The EyeShell backdoor, detected alongside BADNEWS, is a modular .NET-based tool used by Patchwork for their operations.
It facilitates communication with a remote command-and-control (C2) server and executes various commands, including file and directory enumeration, file downloads and uploads, execution of specified files, file deletion, and capturing screenshots.
Conclusion
Patchwork’s targeted campaign against Chinese research organizations raises concerns about cyber-espionage activities and underscores the importance of robust cybersecurity measures for safeguarding sensitive data. With sophisticated tactics and connections to other threat groups, Patchwork remains a significant cyber threat in the region.
About KnownSec 404 Team:
KnownSec 404 Team is a cybersecurity organization known for its expertise in threat intelligence and analysis. Their in-depth research helps uncover and address cyber threats, contributing to enhancing overall digital security.
