← Back to Actors
Patchwork
PatchworkHangover GroupDropping ElephantChinastratsMONSOONOperation Hangover
[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in...
41
Techniques
40
Covered
1
Gaps
98%
Coverage
Coverage40/41
GAPS (1)
COVERED (40)
T1005Data from Local System47 det.T1021.001Remote Desktop Protocol53 det.T1027.001Binary Padding3 det.T1027.002Software Packing2 det.T1027.005Indicator Removal from Tools6 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036.005Match Legitimate Resource Name or Location45 det.T1053.005Scheduled Task100 det.T1055.012Process Hollowing9 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1070.004File Deletion43 det.T1074.001Local Data Staging10 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1102.001Dead Drop Resolver8 det.T1105Ingress Tool Transfer184 det.T1112Modify Registry203 det.T1119Automated Collection12 det.T1132.001Standard Encoding5 det.T1189Drive-by Compromise10 det.T1197BITS Jobs25 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1518.001Security Software Discovery10 det.T1547.001Registry Run Keys / Startup Folder53 det.T1548.002Bypass User Account Control84 det.T1553.002Code Signing4 det.T1555.003Credentials from Web Browsers16 det.T1559.002Dynamic Data Exchange1 det.T1560Archive Collected Data12 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1574.001DLL111 det.T1587.002Code Signing Certificates1 det.T1588.002Tool13 det.T1598.003Spearphishing Link312 det.