APT Report: How we caught Patchwork with Cyber Deception

APT Report: How we caught Patchwork with Cyber Deception

Patchwork is a targeted threat that was disclosed by Cymmetria’s research team last Thursday. Patchwork has affected about 2,500 targets worldwide since December 2015.

The threat actor shows a high interest in Southeast Asia, targeting individuals employed by governments and government-related organizations, specifically those dealing with political and military aspects relating to the region. While the attack is global, including targets in the US, Europe, and the Middle East, many of the target countries are in the area surrounding the Indian subcontinent.

One of the interesting aspects of the report is that it is the first targeted threat captured using a commercial deception product. Using Cymmetria’s MazeRunner, we were able to capture the attacker’s second stage toolset and malware, as well as observe lateral movement activity.

Download MazeRunner Community Edition Today!


To achieve this, we created data on the targeted endpoint. The data was picked up by the threat actor after infecting the system. Thus, when lateral movement was attempted, the threat actor followed our breadcrumbs and connected to an SMB backup decoy, as well as an RDP decoy running in the cloud.

The threat actor’s operation is of impresive scale, especially due to the technical capability displayed, which was low to say the least. The threat actor’s malware and toolset were largley constructed from code taken from various online forums and GitHub projects. This is how it received its name: Patchwork- the copy-paste APT. In fact, it would be more appropriate to call this a targeted attack, rather than an ATP, since it wasn’t what we would consider to be “advanced”.

We do not have enough information available to be able to determine attribution. That said, all the information we do have points to the possibility of the threat actor being Indian, or at the very least pro-India. For example, below you can see a time zone map of the threat actor’s working hours, as broken down by daytime hours, assuming a working day of 9am to 7pm.



This investigation was very exciting, and we hope you will find the report we created useful. We also released IoC’s in CSV and STIX formats, along with the MazeRunner campaign file, on Cymmetria Research’s GitHub.


Gadi is the Founder and CEO of Cymmetria. Prior to founding Cymmetria, he was VP of Cybersecurity Strategy for Kaspersky Lab, led PwC’s Cyber Security Center of Excellence (located in Israel), and was CISO of the Israeli government’s Internet operations. Gadi is widely recognized for his work in Internet security operation and global incident response, and is considered the first botnet expert. He is currently Chairman of the Israeli CERT.

Share this:


Scroll to Top