Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 3 December 2025 07:24
The Patchwork cyber espionage group — also known as Hangover or Dropping Elephant and internally tracked by QiAnXin as APT-Q-36 — has been active since 2009 and is believed to be close to South Asia.
Over the years, it has targeted government agencies, the military, research institutions, diplomacy, industry, and educational institutions in several Asian countries, conducting large-scale intelligence gathering operations.
The QiAnXin Threat Intelligence Center has identified a new Trojan attributed to the Maha Grass organization, which uses a combination of WebSocket and HTTP protocols to communicate with command and control servers. The malware, dubbed StreamSpy , retrieves instructions via a WebSocket connection whose interface contains the word “stream,” while using HTTP primarily for file transfers. Some of its technical components are reminiscent of the Spyder downloader, already linked to the same organization.
| MD5 | file name | illustrate |
|---|---|---|
| 1c335be51fc637b50d41533f3bef2251 | OPS-VII-SIR.zip | A zip file containing the StreamSpy Trojan. |
| f78fd7e4d92743ef6026de98291e8dee | Annexure.exe | StreamSpy Trojan, version 1.0.0.1 |
| e0ac399cff3069104623cc38395bd946 | List of officials nominated for the 2025-2026 awards.zip | A zip file containing the StreamSpy Trojan. |
| c3c277cca23f3753721435da80cad1ea | List of officials nominated for the 2025-2026 awards. | StreamSpy Trojan, version 1.0.0.2 |
| e4a7a85feff6364772cf1d12d8153a69 | – | StreamSpy Trojan, version 1.0.0.2 |
Among the analyzed samples are compressed archives containing executable files disguised as PDF documents, such as “OPS-VII-SIR.zip” , which comes from the domain firebasescloudemail[.]com. It contains version 1.0.0.1 of StreamSpy, which upon startup extracts an encrypted configuration file in JSON format from its resource area. This configuration file includes C2 servers, network parameters, and persistence options. The C2 server detected in this variant is “ www.mydropboxbackup[.]com:443” .
Once active, the malware collects a wealth of information about the infected system: hostname, user, operating system version, antivirus software, and various hardware identifiers obtained via WMI, such as the UUID and motherboard serial number. This data is combined with the identity information in the configuration and sent to the “/[prefix]/auth” path on the control server.
Persistence is achieved only if enabled in the configuration or if the Trojan detects that it is not located in the expected path. There are three possible methods: creating scheduled tasks, modifying the RunOnce registry key, or generating LNK files in the startup folder. Once the connection to the C2 is established, the malware sends periodic heartbeats to the “/[prefix]/status” interface and opens a WebSocket channel to “/[prefix]/stream”, through which it receives commands and sends the output of the executed operations.
StreamSpy supports numerous instructions, including executing shell commands, downloading and opening files, changing the default shell (cmd or PowerShell), closing active sessions, extracting encrypted archives downloaded from the C2, and various file and directory operations. Upload and download functions using the “/ sync ” and “/ fetch ” interfaces are also present. Version 1.0.0.2, linked to the “ www.virtualworldsapinner[.]com” domains, introduces only an additional URL path (“ cache ”), with no other substantial changes.
Analysis also revealed connections to other malware already associated with Maha Grass, including variants of Spyder . Some samples digitally signed by “Fidus Software Consulting Inc.”, downloaded from domains such as adobefileshare[.]com, use the same configuration encryption methods and share similar operational structures, including information gathering and encrypted zip payload delivery functions. Similar functionality was also detected in an additional sample linked to the Donot gang and previous Gastrobrain group campaigns.
| MD5 | file name | Information about digital signature |
|---|---|---|
| 0fe90212062957a529cba3938613c4da | vpn.exe | “Fidus Software Consulting Inc.” |
| df626ce2ad3d3dea415984a9d3839373 | JuD NEW MARKAZ DETAILS.exe | “Fidus Software Consulting Inc.” |
Observations from the QiAnXin Center indicate a continued evolution of the Maha Grass group’s arsenal. The adoption of WebSockets as the primary channel for command exchange appears to be aimed at reducing the possibility of interception compared to HTTP traffic alone. Analysis of digital signatures and the servers used also suggests a certain level of infrastructure and tool sharing with other groups in the area, such as DuNaoChong .
The report concludes by recalling the importance of essential preventative measures: be wary of links and attachments from unverified sources, avoid installing software obtained from unofficial channels, perform regular backups, and install patches and updates to reduce the attack surface exploitable by threats of this type.
Redazione