The Patchwork hacker group, also known as Dropping Elephant and Maha Grass , has returned to the spotlight after a series of targeted attacks on Pakistani defense facilities. In their latest campaign, the attackers used phishing emails containing ZIP archives containing a hidden MSBuild project. Once executed, it activates a downloader that installs malware written in Python.
The malware can connect to a remote server, run Python modules, execute commands, and facilitate file sharing . This campaign used sophisticated stealth techniques, ranging from modified runtime environments to hidden communication channels and persistence methods.
Since late 2025, the group has maintained a connection with the new StreamSpy Trojan . This previously unknown program uses the WebSocket and HTTP protocols to separate control and file transfer. Server instructions are received via WebSocket, while files are intercepted and sent via HTTP.
An analysis by the Chinese firm QiAnXin revealed that StreamSpy shares some similarities with another malware called Spyder , believed to be a variant of the WarHawk family associated with the SideWinder group. Spyder has been used by the Patchwork group since 2023.
StreamSpy is distributed via archives with names like “OPS-VII-SIR.zip” hosted on the “firebasescloudemail[.]com” domain. The main executable file, “Annexure.exe” , collects system information and can connect to the system via the registry, Task Scheduler, or an LNK file in the startup folder. Communication with the command and control server occurs via two channels: WebSocket and HTTP.
The malware’s capabilities include downloading and opening files, executing commands via various shells, gathering information about the file system and connected drives, transferring and deleting files, and viewing the contents of specific folders. Some commands download encrypted ZIP files, unzip them, and automatically execute the contents.
QiAnXin also detected Spyder variants with advanced data collection capabilities deployed on the same resource. The digital signature “Annexure.exe” matches that of another Trojan, ShadowAgent , attributed to the DoNot group (also known as Brainworm ). In November 2025, the 360 Threat Analysis Center classified this executable as ShadowAgent .
According to Chinese researchers, the appearance of variants of StreamSpy and Spyder indicates that Maha Grass is actively developing its malware.
StreamSpy’s use of WebSocket channels can be seen as an attempt to bypass traffic filtering and hide command-line activity. Furthermore, the similarity of the samples confirms that Patchwork and DoNot likely share resources and technologies.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
