QiAnXin Threat Intelligence Center recently discovered a new Trojan, StreamSpy, associated with the MahaCao group. This Trojan communicates with remote servers using a combination of WebSocket and HTTP. The Trojan retrieves commands and sends back operation results via the WebSocket channel, while HTTP is used for operations such as file transfers. This Trojan also shares some similarities with MahaCao's Spyder. Furthermore, other related samples further confirm resource-sharing connections between the MahaCao and DuNaoChong attack groups.

奇安信威胁情报中心近期发现一种与摩诃草组织有关的新木马StreamSpy，该木马与远程服务器通信采用WebSocket和HTTP相结合的方式，木马获取指令与回传操作结果在WebSocket通道中进行，而用HTTP完成一些诸如文件传输之类的操作。该木马还与摩诃草的Spyder有一些相似性。此外，另外关联到的样本再次印证了摩诃草和肚脑虫两个攻击团伙在资源共享方面有一些联系。

Qi'anxin Threat Intelligence Center recently discovered that the Patchwork group's LNK attack samples downloaded bait documents and subsequent payloads from a remote server that imitated the domain name of a domestic university. The subsequent payload was a loader written in Rust, which used shellcode to decrypt and load a C# Trojan into memory.

奇安信威胁情报中心近期发现摩诃草组织 LNK 攻击样本从仿冒国内高校域名的远程服务器下载诱饵文档和后续载荷，后续载荷为 Rust 编写的加载器，借助 shellcode 解密并内存加载 C# 木马。

Our continued tracking of the donot group found that they had used couldmailauth.com to host malware. Recently, we captured another batch of samples that used this domain as the C&C server. These samples were Spyder downloaders of the Patchwork group, and one of them had the same digital signature as the donot sample. The reason for this may be that the two groups have the same resource provider behind them, or that the two groups may be acting in unison under the coordination of a higher-level group.

我们对肚脑虫组织的持续追踪发现该组织曾使用couldmailauth.com托管恶意软件。近期我们捕获到另一批以该域名为 C&C 服务器的样本，此类样本为摩诃草组织的 Spyder 下载器，并且其中一个样本带有与肚脑虫样本相同的数字签名。导致这种情况的原因可能是两个组织背后存在相同的资源提供者，也可能是两者在某个层级更高的组织的协调下统一开展行动。

Recently, we discovered a new variant of the Spyder downloader of the Patchwork group, and observed attackers using Spyder to distribute two secret-stealing components, which are used to capture screenshots and collect file information respectively. Although the core function of the Spyder downloader has not changed, it still releases subsequent components from the remotely downloaded encrypted ZIP package and executes it, but some changes have been made in terms of code structure and C2 communication format. The following is the attack process of the Spyder downloader and secret-stealing components discovered this time.

近期我们发现摩诃草组织 Spyder 下载器出现新变种，并观察到攻击者借助 Spyder 下发两款窃密组件，分别用于截屏和收集文件信息。虽然 Spyder 下载器的核心功能没变，仍是从远程下载的加密 ZIP 包中释放出后续组件并执行，但在代码结构和 C2 通信格式等方面做了一些改动。以下是本次发现的 Spyder 下载器和窃密组件的攻击过程。

Recently, during routine sample tracking and analysis, the Threat Intelligence Center at QiAnXin identified a batch of malicious samples linked to Patchwork. Surprisingly, the backdoor used by the attackers was not the typical Trojan previously associated with the Patchwork group. Coincidentally, foreign security researchers also discovered a few of these samples and named the backdoor "Spyder" based on information found in the command-and-control (C2) server login interface. They also noted similarities between the samples and the WarHawk backdoor. The latter was revealed in a report published by Zscaler in October of the previous year, and it is considered to be an offensive weapon used by another South Asian APT group, Sidewinder. Based on the digital signatures used in early Spyder samples and their association with Remcos RAT samples, we are inclined to believe that the Patchwork group is behind these attacks. Furthermore, we discovered another lightweight C#-based backdoor used by the attackers through an IP address.

Cisco Talos研究团队在近期披露了一例针对印度iOS用户的定向攻击活动[1]，但原文并没有明确攻击组织相关背景。奇安信威胁情报中心结合内部威胁情报数据和该公开报告中披露的IOC信息，关联到多份公开情报，并发现该事件的攻击组织极有可能就是“摩诃草”组织(又常称为Hangover，Patchwork，Dropping Elephant)，并且分析了该事件与Bellingcat披露的Bahamut[2]和趋势科技披露的Confucius[3]间的联系。本报告是对相关线索和背景推测的分析说明。 截至我们分析和文档完成时，Cisco Talos研究团队披露了后续分析进展，并同样提及了和Bahamut的关联性[6]。