🇮🇳Patchwork
🇮🇳 Patchwork is a tracked threat actor in the Clankerusecase corpus. Attributed to IN. Primary motivation: State. We map 24 detection use cases to this actor across 51 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-02-12 to 2026-03-24.
crit 1med 1
24Use cases
2Articles
51Techniques
0IOCs
Known aliases
PatchworkDropping ElephantChinastratsQuilted TigerHangover GroupMONSOONOperation Hangover
Top techniques
All other tracked techniques
T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1005 · Data from Local SystemT1021.001 · Remote Desktop ProtocolT1027.001 · Binary PaddingT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1027.010 · Command ObfuscationT1033 · System Owner/User DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1053.005 · Scheduled TaskT1055.012 · Process HollowingT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1070.004 · File DeletionT1074.001 · Local Data StagingT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1102.001 · Dead Drop ResolverT1105 · Ingress Tool TransferT1112 · Modify RegistryT1119 · Automated CollectionT1132.001 · Standard EncodingT1189 · Drive-by CompromiseT1195.002 · Compromise Software Supply ChainT1197 · BITS JobsT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1486 · Data Encrypted for ImpactT1518.001 · Security Software DiscoveryT1547.001 · Registry Run Keys / Startup FolderT1548.002 · Bypass User Account ControlT1553.002 · Code SigningT1555.003 · Credentials from Web BrowsersT1559.002 · Dynamic Data ExchangeT1560 · Archive Collected DataT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1574.001 · DLLT1587.002 · Code Signing CertificatesT1588.002 · ToolT1598.003 · Spearphishing LinkT1680 · Local Storage Discovery
Detection use cases (24)
Patchwork (Dropping Elephant) CVE-2017-11882 EQNEDT32.EXE → script/LOLBin child chain Patchwork BadNews dead-drop resolver — non-browser fetch from public paste/code-hosting C2 caches Remote service execution — PsExec / SMB lateral movement RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Remote service execution — PsExec / SMB lateral movement Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Trusted vendor binary / installer launching unusual children Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer package install spawning script-host with non-registry C2 within 5 minutes Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 MinutesThreat-intel articles (2)
med Cloud workload security: Mind the gaps · 2026-03-24