Patchwork (APT-Q-36) is an Asia-focused espionage group active since 2009, now deploying a new Spyder downloader variant that distributes steganographic components for taking screenshots and collecting file information. The update introduces code structure changes and new C2 communication methods while preserving core downloader functionality.
Keypoints
- Group name and alias: Patchwork (APT-Q-36); long-running actor tracked by QiAnXin.
- Primary focus: cyber espionage against government, military, power, industry, research, education, diplomacy, and economy sectors in Asia.
- New variant: Spyder downloader redesigned to distribute two steganographic components (screenshot and file information collection).
- Components: IntelPieService.exe (screenshot component) and RstMwService.exe (file decryption component).
- Masquerade and signing: downloader disguised with a Word document icon and digitally signed by Xi’an Qinxuntao Network Technology Co., Ltd.
- Communication: C2 uses a custom JSON format; traffic spoofing observed (curl to retail.googleapis.com and api.github.com) and ZIP-based remote component delivery.
- Defensive guidance: avoid phishing, use threat intelligence platforms for file analysis, and keep systems patched.
MITRE Techniques
- [T1071] Command and Control – Brief description of how it was used. Quote: (‘Use of HTTP/S for communication with C2 servers.’)
- [T1119] Data Collection – Brief description of how it was used. Quote: (‘Collecting screenshots and file information from the infected device.’)
- [T1003] Credential Dumping – Brief description of how it was used. Quote: (‘Collecting device information including user IDs and operating system versions.’)
- [T1547] Persistence – Brief description of how it was used. Quote: (‘Setting up scheduled tasks to maintain persistence on the infected system.’)
Indicators of Compromise
- [MD5] context – 689c91f532482aeff84c029be61f681a, 887d76e305d1b2ac22a83a1418a9fc57, 47b4ed92cfc369dd11861862d377ae26, and 7 more hashes
- [C2 Domain] context – onlinecsstutorials.com, firebaseupdater.com, and l0p1.shop
- [IP] context – 93.95.230.16:80, 89.147.109.143:80
- [URL] context – hxxp://onlinecsstutorials.com/soup/pencil.php, hxxp://onlinecsstutorials.com/soup/download.php?mname=, hxxp://onlinecsstutorials.com/soup/upsman.php, hxxp://l0p1.shop/ares/pencil.php, hxxp://l0p1.shop/ares/download.php?mname=, hxxp://firebaseupdater.com/gandalf/cane.php, hxxp://firebaseupdater.com/gandalf/download.php?mname=, hxxp://93.95.230.16/domcomtwit/hen.php, hxxp://89.147.109.143/lightway/hex.php
- [Filename] context – IntelPieService.exe, RstMwService.exe, eac_launcher.exe, MsEngLU.dll
- [Digital Signature] context – Xi’an Qinxuntao Network Technology Co., Ltd.; GJT AUTOMOTIVE LTD