149.txt

Threat Actor Background
Patchwork — also known as White Elephant, Hangover, Dropping Elephant, and internally tracked by QiAnXin as APT-Q-36 — is a threat actor widely believed to originate from South Asia. Their operations date back to November 2009 and have remained active for over a decade. The group primarily engages in cyber-espionage targeting Asian nations, with victims spanning government, military, energy, industrial, education/research, diplomatic, and economic sectors.

Donot Group — also known as Stomach and brain worm, internally tracked as APT-Q-38 — mainly targets Pakistan, Bangladesh, Sri Lanka, and other South Asian countries. Their campaigns involve espionage against government agencies, defense sectors, diplomatic institutions, and business executives, aiming to exfiltrate sensitive data. Donot possesses cross-platform capabilities for Windows and Android, and is known for using spear-phishing emails containing Office exploits, malicious macros, and malicious APKs to deliver payloads.

Incident Summary
QiAnXin Threat Intelligence Center disclosed Donot’s activities in late February [1] and continued monitoring related campaigns. It was discovered that Donot had hosted malware on the domain couldmailauth.com.

Recently, a new batch of samples using couldmailauth.com as a C&C server was captured. These samples are Spyder downloaders attributed to Patchwork, and notably, one of the samples is signed with the same digital certificate used in Donot samples. This strongly indicates a potential connection between these two South Asian APT groups.

Technical Analysis
Donot-Related Sample Details
MD5	Filename	Description
e39413d9a67acbc5df2d8b8c0a170f4b	ltr-2024055.ppt	Contains VBA macro, downloads DLL
8157be7acc05f719dc125d677133ca40	Reghjok_64.dll	Downloaded DLL payload

The malicious PPT can be downloaded from:
hxxps://viperdenx.info/2025/filezz/uploadz/ltr-2024055.ppt
Its VBA macro downloads a DLL from:
hxxp://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll
The DLL is saved as:
%LocalAppdata%\SysIconTray.dll
and executed using:
rundll32.dll SysIconTray.dll,bostRebert
The DLL connects to C2 server: totalservices.info and exhibits functionality identical to previously reported sample PLAIN.dll [1].

Patchwork’s Spyder Downloader
The newly identified Spyder downloader samples are listed below:

Seq	MD5	Compile Time (UTC)	File Size
1	c13dfd03cbdd66c0d6d53eb55ba9d551	2025-02-04 19:22:09	3.80 MB
2	2f1c58c7214471c28283b9e161ceed1c	2025-02-15 00:23:23	80.99 MB
3	f8e30dad9130bbc04164dda4f31a1b23	2025-02-15 00:23:23	17.38 MB
4	4dfbc90129c9700bab397a59e0640648	2025-02-15 00:23:23	6.81 MB
5	6cf72a23f23f2f35106ed9db63df3474	2025-03-24 11:50:12	3.50 MB

Samples 2–4 are functionally identical but differ in size due to padding with null bytes in the .reloc section.
Sample 2 is also digitally signed.

Analysis of Sample 2 (2f1c58c7214471c28283b9e161ceed1c):

File disguised with a PPT icon

Digitally signed by Ebo Sky Tech Inc on 2025-02-16 07:52:57 UTC

Some config strings (C2 domain and URL) are XOR-encrypted

Key Behaviors
Creates a mutex to ensure single instance execution.

Remaps the .text section of several system DLLs.

Schedules tasks to execute at a fixed time on the following day, pointing to:
%LocalAppdata%\TREATE.exe
Also copies itself to that path.

C2 Communication
Communicates with:
/gxL5EumWANH46T3tjskyFB/pencil.php
Uses a custom HTTP header xfz to transmit Base64-encoded JSON, with some character replacements post-encoding.

The payload includes fixed fields:

"jhon": infected machine’s GUID

"sweep": string "0.0.0.1" (likely version identifier)

Purposes of C2 Interaction:
Check whether to collect system information

Retrieve information about follow-up payload packages

If the C2 response is "1", the sample proceeds to collect and report device data.

Before collection, the sample sends decoy traffic to api.github.com via curl, likely to blend with legitimate activity.

Collected data is placed in the "cargo" field of the JSON.

Summary
Donot and Patchwork, two historically separate South Asian APT groups, show signs of technical overlap and coordination, evidenced by:

Shared use of C2 infrastructure (couldmailauth.com)

Identical digital signatures on malware

The Donot sample relies on VBA in PPT to drop and execute a DLL

The Patchwork sample (Spyder downloader) uses XOR obfuscation, scheduled tasks, DLL remapping, and custom C2 communication

Their convergence may reflect resource sharing, joint campaigns, or consolidation under a broader umbrella APT entity

Organizations in Asia, especially in government, military, and diplomatic sectors, should review IOCs, monitor for suspicious traffic to the identified domains, and ensure their EDR systems are fully updated.

Collected Information
The following data types are collected by the malware:

Field Name	Description
spaceship	Hostname
lockmode	Username
tune	Operating system version
trunk	Configuration string from sample (value: "ZXF")
spool	Installed antivirus information

Downloading Follow-up Components
The sample then enters a loop to retrieve additional components. In each loop iteration:

Decoy traffic is sent to api.github.com.

A request is made to the C2 server endpoint:
/gxL5EumWANH46T3tjskyFB/pencil.php
If the server response is "0" or its length is ≤5, the sample sleeps and waits for the next iteration.

When valid response data is received, the sample extracts the following fields from it:

Field Name	Description
anon	Not used in the code
hand	Name of the ZIP archive to be downloaded
shake	Password to decrypt the ZIP archive

The sample then constructs a URL by appending the hand value to:
/gxL5EumWANH46T3tjskyFB/download.php?mname=
and sends a request to download a ZIP archive containing follow-up components.

The ZIP is temporarily saved in the %LocalAppdata% directory.

The contained .exe file is extracted to the COMMON_DOCUMENTS directory (C:\Users\Public\Documents).

It is then executed via a call to CreateProcessW.

Attribution and Link Analysis
The newly discovered Spyder sample shows minimal changes in code and functionality compared to earlier Patchwork Spyder variants [2]:

Same configuration structure

Uses the same decoy traffic to api.github.com for obfuscation

Remaps system DLL .text sections, sets one-time scheduled tasks, and communicates with the C2 in the same way

The main difference from 2024 samples is that key strings are now XOR-encrypted, rather than stored in plaintext.

A strong link between Patchwork and Donot is demonstrated by the reuse of digital signatures:

The Spyder sample (MD5: 2f1c58c7214471c28283b9e161ceed1c) is signed with the same certificate as a Donot sample (MD5: 893561ff6d17f1e95897b894dde29a2a), though the Donot signature was timestamped earlier (January 28, 2025).

The Donot PPT macro sample (MD5: e39413d9a67acbc5df2d8b8c0a170f4b) that downloads a DLL from couldmailauth.com was created on February 13, 2025, which is close to the compilation time of the Spyder sample on February 15, 2025.

These correlations suggest shared infrastructure or collaboration between the two groups during the same operation.

Conclusion
APT groups in South Asia have long exhibited overlaps in tactics and infrastructure. This investigation found that samples attributed to Donot and Patchwork share:

The same digital certificate

The same C2 domain (couldmailauth.com)

This points to two possible scenarios:

Both groups have access to a shared resource provider

Their operations are coordinated under a higher-level controlling entity

Defense Recommendations
QiAnXin Threat Intelligence Center advises all users to take the following precautions:

Be vigilant against phishing attacks

Do not click on suspicious links from social media

Avoid executing unknown attachments from emails

Do not run executables with sensational filenames

Refrain from installing APKs from unofficial sources

Regularly backup important files

Keep your systems patched and updated

If you must run suspicious files, use QiAnXin’s file analysis platform for in-depth inspection:
QiAnXin Sandbox

Supports detailed analysis for Windows, Android, and other formats.

QiAnXin’s full product suite — including Threat Intelligence Platform (TIP), SkyEye, Tianqing EDR, NGSOC, and Security Situational Awareness systems — has integrated precise detection mechanisms for this campaign.