The Collage: Patchwork

← Home·Gallery·Techniques

Threat Intelligence Tarot

swords · 11

India (suspected)

G0040

★★★★★

risk 3/5

✦ The Collage ✦

Patchwork

Dropping Elephant · Chinastrats · Quilted Tiger · Monsoon

ChinaPakistanThink tanksUniversitiesClimate researchersDiplomats

Active since ~2009 · China surveillance, Pakistan intelligence, Climate and energy policy monitoring

It assembled itself from pieces - copy-pasted code, borrowed tools, recycled infrastructure. The Collage is less art than function: mismatched but operational, watching Chinese think tanks and Pakistani ministries with tools built from the internet's trash.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.002

Spearphishing Link

Initial Access

T1204.001

Malicious Link

Execution

T1059.001

PowerShell

Execution

T1036

Masquerading

Defense Evasion

T1113

Screen Capture

Collection

Notable Operations

◆Researchers accidentally infected own systems with BADNEWS RAT (2018)
◆Chinese state and academic institutions targeting
◆Climate conference researcher surveillance
◆South Asian diplomatic community compromise

Defenses

▸
Link filtering and browser isolation for email links
CIS Control 9 ↗
▸
PowerShell logging and constrained language mode
CIS Control 8 ↗
▸
Think-tank and academic sector threat intelligence sharing
NIST CSF: ID.RA ↗
▸
Screen capture and clipboard monitoring capabilities
NIST CSF: DE.CM ↗

Reversed: Their Weakness

Patchwork's most notable operational security failure was legendary: in 2018, researchers discovered the group had infected its own development machines with its own BADNEWS RAT, exposing operators' identities, their development environment, and their targeting lists.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Viper Next →The Long Shadow

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.