Patchwork APT Deploys StreamSpy Trojan, Hiding C2 Commands in WebSocket Traffic for Stealth Espionage

The Patchwork APT group (also known as Bai Xiang or “White Elephant”), a cyberespionage actor believed to have South Asian origins, has launched a new campaign utilizing a sophisticated Trojan named StreamSpy. Active since at least 2009, this group typically targets government, military, and industrial sectors across Asia.

The Qi’anxin Threat Intelligence Center recently detected this new malware, which distinguishes itself by using a “combination of WebSocket and HTTP protocols” to evade traditional network detection. By leveraging WebSockets for command and control (C2), Patchwork effectively hides its malicious traffic inside what looks like normal web activity.

StreamSpy is designed to be stealthy and persistent. It arrives disguised as a ZIP file (e.g., OPS-VII-SIR.zip) containing an executable that mimics a PDF icon, “enticing victims to run the malicious program indiscriminately.”

Once inside a system, the malware splits its communication channels:

• Instructions & Results: The Trojan uses the WebSocket protocol to retrieve commands and transmit results, connecting to an interface containing the string “stream.”
• File Transfer: It leverages standard HTTP protocols for heavier operations like uploading or downloading files.
• The malware is highly configurable. Upon execution, it “decrypts configuration data from its resource section,” which includes network C2 details, identity tags, and persistence settings.

StreamSpy is not just a passive listener; it is a fully functional toolkit for espionage. It collects extensive device data, including “hostname, username, operating system version, and antivirus software details.”

It also supports a wide array of commands, including:

• terminal_input: Commands are passed to a shell process (CMD or PowerShell) for execution.
• File Operations: Specific codes like “F1A5C3” and “D1E2F3” allow it to download, open, or delete files.
• Information Gathering: It can enumerate all drives and directory contents on the infected machine.

To ensure it stays on the victim’s machine, StreamSpy employs multiple persistence methods, such as creating scheduled tasks, setting “RunOnce” registry keys, or dropping LNK files in the Startup directory.

Analysis reveals that StreamSpy is not an entirely isolated tool. Researchers found “similarities between this trojan and the Spyder downloader used by Patchwork”. Furthermore, there is evidence of cross-group collaboration. The digital signature of StreamSpy correlates with samples from the Donot group, another regional threat actor.

This overlap suggests a deeper level of coordination, where “the Mahagra [Patchwork] and Donot attack groups have some connections in terms of resource sharing.”

Related Posts:

• Patchwork APT Resurfaces: Stealthy Espionage Campaign Exploits DLL Sideloading and Layered Obfuscation
• Volexity: Indian APT hacker organization Patchwork target US think tanks
• Researcher Exposes WebSockets’ Role in Credit Card Skimming
• Patchwork APT Targets Chinese Scientific Research in Renewed Campaign