Patchwork APT Resurfaces: Stealthy Espionage Campaign Exploits DLL Sideloading and Layered Obfuscation

The Patchwork APT group—also known as Dropping Elephant, Monsoon, and Hangover Group—has resurfaced with a new campaign that demonstrates their persistence and ingenuity in cyber-espionage operations across South and Southeast Asia.

According to researchers at K7 Security Labs, “Patchwork APT, also known as Dropping Elephant, Monsoon, and Hangover Group, has been active since at least 2015. This threat actor primarily focuses on gathering political and military intelligence, targeting organizations across South and Southeast Asia.”

The attack begins with a malicious macro that downloads a Windows shortcut (LNK) file. This file executes a PowerShell script designed to deliver multiple malicious components.

The researchers note: “It downloads the executable and saves it to C:\Windows\Tasks\lama and masquerades the file as the VLC media player (vlc.exe) to look legitimate. Secondly, downloading a DLL file … mimics VLC’s legitimate library (libvlc.dll) so the executable can side-load it during execution.”

A decoy PDF is also downloaded to distract the victim, while a Windows Scheduled Task named WindowsErrorReport ensures persistence. The final payload establishes a connection to the attacker’s command-and-control (C2) server.

Patchwork’s malware establishes communication with its C2 through a staged approach. The fStage method initiates communication by encoding victim identifiers with multiple obfuscation layers:

“It encrypts and encodes the victim’s client ID (Cid) by first applying an XOR function with a hardcoded key, then base64 encoding the result, followed by additional obfuscation using Protean.”

This process ensures that stolen information—including system details, IP address, and user credentials—is securely transmitted back to the attackers while evading detection.

The malware systematically collects extensive details from infected systems. Using WMI queries, it gathers information on installed software and antivirus products, which is exfiltrated to the C2 server. As the report states: “The dsffds() method collects names of installed applications … The ghjk() method retrieves names of installed AntiVirus products from the SecurityCenter2 namespace.”

To maintain stealth, the malware disguises its C2 traffic as normal web form submissions. “The _getCommand method is designed to contact the attacker’s command-and-control (C2) server … headers mimic standard web form submissions, making the traffic appear legitimate.”

Patchwork’s toolkit extends beyond reconnaissance. Its malware can:

• Download and execute files dynamically (dfile method).
• Upload stolen files in chunks to avoid detection (ufile method).
• Execute arbitrary code in memory, bypassing disk-based detection (v_alloc method).
• Capture screenshots of all connected monitors and send them back to the C2 (scrt method).

These features highlight Patchwork’s operational maturity, enabling espionage, surveillance, and persistent access.

A recurring theme in the campaign is the use of layered obfuscation to hide activity. K7 Security Labs emphasizes that “the C2 connection … demonstrates a sophisticated approach to maintaining stealthy and persistent communication between the infected system and the attacker’s server. By leveraging encrypted data exchanges, multiple fallback mechanisms, and careful management of system resources, the malware ensures reliable command execution and data exfiltration while minimizing the chances of detection.”

Patchwork APT has once again proven its ability to evolve, despite relying on reused tools and techniques. By masquerading as legitimate software, abusing scheduled tasks, and layering obfuscation with encryption and in-memory execution, the group continues to conduct successful intelligence-gathering operations.

K7 Security Labs’ analysis confirms that Patchwork remains a serious threat actor in the geopolitical cyber-espionage landscape, with operations that blend social engineering, persistence, and stealthy technical sophistication.

Related Posts:

• Volexity: Indian APT hacker organization Patchwork target US think tanks
• Patchwork APT Targets Chinese Scientific Research in Renewed Campaign
• Patchwork Group Expands Cyber Espionage with Advanced Tools
• VLC media player received patches for zero-day in open-source library
• Android Boosts Anti-Theft Measures with AI and Biometric Security