Group Background
Patchwork, also known as Bai Xiang (White Elephant), Hangover, and Dropping Elephant, is tracked internally by Qi'anxin under the reference number APT-Q-36. The group is widely believed to have South Asian origins. Its earliest cyberattacks date back to November 2009, and it has remained active for over a decade. Primarily engaged in cyberespionage against countries in Asia, its targets include organizations in sectors such as government, military, power, industry, scientific research and education, diplomacy, and economy.
Incident Overview
The Qi'anxin Threat Intelligence Center recently detected a trojan associated with the Patchwork group. This trojan communicates with remote servers through a combination of WebSocket and HTTP protocols. The server interface for establishing WebSocket connections contains the string "stream". The trojan retrieves instructions and transmits operational results via this WebSocket channel, while leveraging HTTP for operations such as file transfers. We also found similarities between this trojan and the Spyder downloader used by Patchwork, and named it StreamSpy based on these characteristics.
Detailed Analysis
Relevant sample information is as follows:
| - | - | - |
|---|---|---|
| MD5 | File Name | Description |
| 1c335be51fc637b50d41533f3bef2251 | OPS-VII-SIR.zip | A ZIP file containing the StreamSpy trojan |
| f78fd7e4d92743ef6026de98291e8dee | Annexure.exe | StreamSpy trojan, Version 1.0.0.1 |
| e0ac399cff3069104623cc38395bd946 | List of officials nominated for rewards 2025-2026.zip | A ZIP file containing the StreamSpy trojan |
| c3c277cca23f3753721435da80cad1ea | List of officials nominated for rewards 2025-2026.exe | StreamSpy trojan, Version 1.0.0.2 |
| e4a7a85feff6364772cf1d12d8153a69 | - | StreamSpy trojan, Version 1.0.0.2 |
The newly discovered StreamSpy Version 1.0.0.2 shows minimal changes compared to Version 1.0.0.1. The following analysis will take StreamSpy Version 1.0.0.1 as an example.
The download link for the ZIP file OPS-VII-SIR.zip is "hxxps://firebasescloudemail.com/reports/OPS-VII-SIR.zip." This ZIP file contains two PDF files and an EXE file disguised with a PDF icon, which is the StreamSpy Trojan itself, enticing victims to run the malicious program indiscriminately.
Initialization
The trojan first decrypts configuration data from its resource section.
The decrypted configuration data is a JSON string, including three parts: network, identity, and persistence. The network section contains the C2 server www.mydropboxbackup[.]com:443.
The trojan's configuration data also includes URL paths used for interacting with the C2 server. These paths are concatenated with the prefix field (here, "analytics") from the decrypted network configuration to form the final paths. Notably, some URL paths are not used in communications with the C2 server, indicating the trojan may still be under development.
If configuration information fails to be retrieved from the resource section, the following default settings are applied.
Information Collection
The trojan collects various types of information, including hostname, username, operating system version, and antivirus software details. It also queries UUID, motherboard serial number, and processor ID via WMI to generate a unique identifier for the infected device.
The collected device information is combined with identity information from the configuration data and subsequently sent to the "/[prefix]/auth" interface of the C2 server.
Persistence
Persistence operations are executed if the enable_app_path field in the persistence configuration is true, or if the trojan's file path does not match the specified path.
The Trojan has three persistence methods, determined by the startup_method field in the persistence configuration data. When the value is 1, it creates a scheduled task.
When the value is 2, it sets the RunOnce registry key.
When the value is 3, it creates an LNK file in the Startup directory.
C&C Communication
The trojan communicates with the C2 server using a combination of WebSocket and HTTP protocols:
| - | - | - |
|---|---|---|
| Trojan Operation | Network Protocol | Relevant Interface |
| Establish communication connection with the server | HTTP | /[prefix]/auth |
| Send heartbeat packets to the server | HTTP | /[prefix]/status |
| Retrieve trojan instructions and transmit results | WebSocket | /[prefix]/stream |
| File upload and download | HTTP | Multiple interfaces |
First, the trojan attempts to establish a connection with the C2 server by sending the collected information to the "/[prefix]/auth" interface. A successful connection is confirmed if the server returns a specified response.
After connection establishment, the trojan periodically sends heartbeat packets to the "/[prefix]/status" interface of the C2 server. The device_token in the data packet is the unique identifier generated during the information collection phase.
On the other hand, it establishes a WebSocket connection with the "/[prefix]/stream" interface of the C2 server.
By sending the getCommand message, it retrieves Trojan commands and sends the ack_command message after the command execution is complete.
The Trojan command distribution function is sub_413EB0, which can also decide whether to enable or disable the command retrieval switch based on the input parameters.
The Trojan commands and their corresponding functions are detailed as follows:
(1) Information type: terminal_input
Commands are passed through a pipe into the created shell process to achieve remote command execution.
(2) "F1A5C3": Downloads a file from a specified URL to a specified path, then calls ShellExecuteExW to open the file.
(3) "B8C1D2": Sets the shell for command execution to cmd.
(4) "E4F5A6": Sets the shell for command execution to powershell.
(5) "FL_SH1": Closes all shells.
(6) "C9E3D4", "E7F8A9", "H1K4R8", "C0V3RT"
These four commands download encrypted zip files from the C2 server, extract them, and call ShellExecuteExW to open the files within. These commands have four parameters: "zip_name", "zip_password", "location", and "folder".
The download URLs for these commands differ as follows:
| - | - |
|---|---|
| Trojan Command | Download File URL Path |
| C9E3D4 | /[prefix]/update/[zip_name] |
| E7F8A9 | /[prefix]/package/[zip_name] |
| H1K4R8 | /[prefix]/assets/[zip_name] |
| C0V3RT | /sniperagent/cache/[zip_name] |
(7) "F2B3C4": Retrieves information about all disks connected to the device, including file system, removability, total capacity, free capacity, etc.
(8) "D5E6F7"
This command performs file upload and download operations, with three command parameters: "file_path", "session_id", and "resume_offset". Files are uploaded to the server using the C2 server's "/[prefix]/sync" interface, and files are downloaded from the server using the "/[prefix]/fetch" interface.
(9) "A8B9C0"
This command also has file upload functionality, with three command parameters: "file_path", "session_id", and "file_size", using the "/[prefix]/sync" interface.
(10) "D1E2F3": Deletes a file.
(11) "A4B5C6": Renames a file.
(12) "D7E8F9": Enumerates a specified directory.
New Version of StreamSpy
The configuration information for the version 1.0.0.2 of StreamSpy Trojan samples is as follows, with the C2 server being "www.virtualworldsapinner[.]com:443 and prefixes being "metrics" and "insights".
Compared to version 1.0.0.1, the version 1.0.0.2 of StreamSpy Trojan has minimal changes overall. The difference lies in the addition of the "cache" interface in the URL path configuration.
The download path for the subsequent payload in the Trojan command "C0V3RT" has changed from "/sniperagent/cache/[zip_name]" to "/[prefix]/cache/[zip_name]".
Attribution and Correlation
Through the StreamSpy trojan, we correlated other malicious software, including variants of the Patchwork group's Spyder downloader and samples from the Donot group, which have been publicly disclosed by security researchers earlier [1, 2].
Spyder Variants
The StreamSpy trojan's download site firebasescloudemail[.]com is associated with several Spyder variants, with relevant sample information as follows:
| - | - | - |
|---|---|---|
| MD5 | File Name | Digital Signature Information |
| 0fe90212062957a529cba3938613c4da | vpn.exe | "Fidus Software Consulting Inc." |
| df626ce2ad3d3dea415984a9d3839373 | JuD NEW MARKAZ DETAILS.exe | "Fidus Software Consulting Inc." |
These samples also retrieve configuration information from HTML-type data in the resource section, with a decryption method similar to StreamSpy. They skip the first byte and then perform AES decryption, using the same decryption key as the StreamSpy Trojan.
The decrypted configuration data includes a C2 address "adobefileshare.com/getData" and a path containing the string "spyder".
The collected device information includes a victim identifier generated based on disk volume information, hostname, username, operating system version, antivirus information, and concatenates some information from the decrypted configuration data.
The collected information is sent to "hxxp://adobefileshare.com/getData" via a POST request. The server's response will contain a numeric string.
(1) If the number is a non-zero value other than 5 and 6.
First, a POST request is sent to "hxxp://adobefileshare.com/getfilename" with the victim identifier UID as the request body. This request is used to obtain the filename and extraction password for the encrypted zip file to be downloaded locally, separated by "!" in the response content. Then, a request is sent to "hxxp://adobefileshare.com/download" to download the file, followed by extraction and execution of the extracted file using ShellExecuteA. This file download method is consistent with previous Spyder downloaders[3].
(2) If the number is 5: Commands are executed via powershell or cmd.
(3) If the number is 6: Trojan command distribution is performed.
The involved Trojan commands are as follows:
| - | - |
|---|---|
| Command | Description |
| listDrives | Retrieves information about all drives |
| listDirectory | Enumerates directory information |
| deleteFile | Deletes a file |
| renameFile | Renames a file |
| executeFile | Executes a file using CreateProcessW |
| downloadFile | Downloads a file |
| uploadFile | Uploads a file |
When combining the functionalities of these three branches of malware, it is evident that they are essentially consistent with the capabilities of the StreamSpy Trojan.
Recently, another Spyder variant of the same type was discovered. This sample retains only the subsequent payload download functionality, removing the branches for shell command execution and Trojan command distribution. The C2 server is "azureinternalupdates.com".
| - | - | - |
|---|---|---|
| MD5 | File Name | Digital Signature Information |
| 838e4d85346001dd04e11359b04c7c24 | Terrorist Financing through Digital Currency, Cryptocurrency 2025.exe | "Fidus Software Consulting Inc." |
Donot Group Samples
The digital signature of the StreamSpy Trojan (MD5: f78fd7e4d92743ef6026de98291e8dee) can be correlated to another sample, 20c9ac59c444625a7ee364b410da8f11. This malware collects device information, including CPU model, operating system product name and build number, username, hostname, and a list of installed software.
The collected information is encrypted and concatenated after "mopd=" and sent to "hxxps://brityservice.info/ZxStpliGBsfdutMawer/sIOklbgrTYULKcsdGBZxsfetmw".
The malware decides whether to download subsequent payloads based on the C2 server's response. The download URL for the subsequent payload is "hxxps://brityservice.info/ZxStpliGBsfdutMawer/lkhgBrPUyXbgIlErAStyilzsh/N1/SA".
This sample is highly similar to the samples used in previous attack activities by the Donot group [4], and the sharing of digital signatures between the Donot and Patchwork groups has been observed before[5].
Summary
The emergence of the StreamSpy Trojan and Spyder variants from the Mahagra group indicates that the group is continuously iterating its arsenal of attack tools. In the StreamSpy Trojan, attackers attempt to use WebSocket channels for command issuance and result feedback to evade detection and censorship of HTTP traffic. Additionally, the correlated samples further confirm that the Mahagra and Donot attack groups have some connections in terms of resource sharing.
Protection Recommendations
Qi'anxin Threat Intelligence Center reminds users to guard against phishing attacks: refrain from opening untrusted links shared on social media, clicking email attachments from unknown sources, running files with exaggerated titles, or installing apps from non-official channels. Ensure regular backups of important files and timely installation of security patches.
If you need to run or install untrusted applications, first verify them using Qi'anxin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page), which currently supports in-depth analysis of multiple file formats across Windows and Android platforms.
Currently, Qi'anxin's full range of products based on threat intelligence data—including Qi'anxin Threat Intelligence Platform (TIP), Tianqing Endpoint Security Management System, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness—all support accurate detection of such attacks.
IOC
MD5
(Patchwork)
1c335be51fc637b50d41533f3bef2251
e0ac399cff3069104623cc38395bd946
f78fd7e4d92743ef6026de98291e8dee (StreamSpy Trojan)
c3c277cca23f3753721435da80cad1ea (StreamSpy Trojan)
e4a7a85feff6364772cf1d12d8153a69 (StreamSpy Trojan)
0fe90212062957a529cba3938613c4da (Spyder Variant)
df626ce2ad3d3dea415984a9d3839373 (Spyder Variant)
838e4d85346001dd04e11359b04c7c24 (Spyder Variant)
(Donot)
20c9ac59c444625a7ee364b410da8f11
C&C
(Patchwork)
firebasescloudemail.com
mydropboxbackup.com
virtualworldsapinner.com
adobefileshare.com
azureinternalupdates.com
(Donot)
scrollzshare.info
brityservice.info
URL
(Patchwork)
wss://www.mydropboxbackup[.]com/analytics/stream
wss://www.virtualworldsapinner[.]com/metrics/stream
wss://www.virtualworldsapinner[.]com/insights/stream
hxxps://www.mydropboxbackup.com/analytics/
hxxps://www.virtualworldsapinner.com/metrics/
hxxps://www.virtualworldsapinner.com/insights/
hxxp://adobefileshare.com/getData
hxxp://adobefileshare.com/getfilename
hxxp://adobefileshare.com/download
hxxp://azureinternalupdates.com/getData
hxxp://azureinternalupdates.com/getfilename
hxxp://azureinternalupdates.com/download
(Donot)
hxxps://scrollzshare.info/eeCetyUo8Tr
hxxps://brityservice.info/ZxStpliGBsfdutMawer/sIOklbgrTYULKcsdGBZxsfetmw
hxxps://brityservice.info/ZxStpliGBsfdutMawer/lkhgBrPUyXbgIlErAStyilzsh/N1/SA
Reference Links
[1]. https://x.com/malwrhunterteam/status/1985321347279626438
[2]. https://x.com/malwrhunterteam/status/1986334542123159792
[3]. https://ti.qianxin.com/blog/articles/analysis-of-new-variants-and-components-of-patchwork-spyder-downloader-cn/
[4]. https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-cn/
[5]. https://ti.qianxin.com/blog/articles/patchwork-attack-weapons-reuse-the-infrastructure-of-the-donot-cn/