Hacker group Patchwork using EyeShell backdoor to target research organizations

Hacker group Patchwork using EyeShell backdoor to target research organizations

2 Mins Read

PureVPNHacker group Patchwork using EyeShell backdoor to target research organizations

Threat actors linked to the hacking crew Patchwork have been found targeting universities and research organizations in China in a recent campaign.

KnownSec 404 Team discovered the use of a backdoor named EyeShell in their activity.

Source: Medium

Patchwork, also known as Operation Hangover and Zinc Emerson, is believed to operate on behalf of India. They have been active since at least December 2015, focusing their attacks on Pakistan and China with custom implants like BADNEWS, using spear-phishing and watering hole attacks.

This group shares similarities in tactics with other Indian cyber-espionage groups, including SideWinder and the DoNot Team.

Patchwork playing identity switch

Earlier this year, Meta (formerly Facebook) took down 50 accounts on Facebook and Instagram operated by Patchwork. The group had exploited rogue messaging apps on the Google Play Store to gather data from victims in various countries, including Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

Patchwork used fake personas to trick people into clicking on malicious links and downloading harmful apps. They even created a fake review website to promote their own malicious chat app as the top-ranked communication app.

Under ModifiedElephant, Patchwork’s activities have also targeted human rights activists, academics, and lawyers in India. These attacks involved long-term surveillance and planting “incriminating digital evidence” related to the 2018 Bhima Koregaon violence in Maharashtra.

What’s EyeShell?

EyeShell, found alongside BAD NEWS, is a . NET-based modular backdoor that enables communication with a remote command-and-control server. It can execute various commands, such as enumerating files and directories, downloading and uploading files to and from the host, executing specified files, deleting files, and capturing screenshots.

“We have reason to guess that the backdoor is used with BADNEWS, the backdoor uses the namespace Eye. To facilitate subsequent tracking and differentiation, we call this backdoor EyeShell according to the namespace,” says experts at Medium.

Source: Rapid7

Concluding thoughts

Patchwork seems to have an integrated and intelligently crafted approach to performing cyber espionage campaigns. Their target is also limited to some countries. The only possible way to fight back is through vigilance and security measures in hand.

author

PureVPN

date

August 1, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far
Posted on October 20, 2025
Slack Faces Partial Outage: Users Report Message Delays and Loading Issues

Slack Faces Partial Outage: Users Report Message Delays and Loading Issues
Posted on October 20, 2025
Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025

Have Your Say!!