An India-based threat actor has been observed targeting universities and research organizations in China with a new backdoor called “EyeShell.” The findings come from researchers from Knownsec 404 Advanced Threat Intelligence Team, who have been tracking the Patchwork APT for the last two years.
Patchwork aka Dropping Elephant, Chinastrats, Monsoon, Sarit, Quilted Tiger, APT-C-09, and Zinc Emerson, is an Indian cyber-espionage group that has been active since December 2015. The threat actor targets high-profile entities like foreign embassies and diplomatic offices in Pakistan, Sri Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the US while also focusing on China.
In the most recent campaign, the group has been observed deploying the EyeShell backdoor alongside the Badnews custom implant on the compromised systems.
EyeShell is a .NET-based modular backdoor that is able to establish contact with a remote command-and-control (C2) server and execute commands to enumerate files and directories, download/upload files to and from the host, execute a specified file, delete files, and capture screenshots.
Earlier this year, Facebook parent Meta disrupted a cyber-espionage operation linked to Patchwork. The company removed about 50 accounts on Facebook and Instagram linked to another India-based threat actor, Patchwork APT. The group targeted people in Pakistan, India, Bangladesh, Sri Lanka, the Tibet region, and China, including military personnel, activists, and minority groups.
