Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
13 mentions · 5 sources"Researchers at the US Naval War College and Tel Aviv University documented systematic Border Gateway Protocol (BGP) hijacking by China Telecom between 2016 and 2019, which redirected traffic from US, Canadian, and Scandinavian networks through Chinese infrastructure."
"In a single seven day period in January 2026, GTIG observed over 550 individual threat groups that we track utilizing IP addresses tracked as IPIDEA exit nodes to obfuscate their activities, including groups from China, DPRK, Iran and Russia."
"Russian and Chinese campaigns focused heavily on intelligence collection, telecommunications infrastructure, and persistent access operations designed to remain undetected over long periods of time"
"we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity"
"Spies working for Chinese intelligence are using job search and recruitment websites, including LinkedIn, to lure Western workers into sharing sensitive information, according to a joint advisory by the FBI, the U.K.'s security service MI5, and the governments of Australia, Canada, and New Zealand."
"While previous incidents involving massive redirection of internet traffic through China show Beijing is likely up to something similar, Ferguson claimed."
"It's likely to have been developed by Chinese nation-state actors."
"It's likely to have been developed by Chinese nation-state actors based on the TTPs observed."
"attacker tactics which are believed to be used by the majority of China-linked actors to obscure malicious cyber activity"
"Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors"
"China-nexus cyber actors have moved from using individually procured infrastructure to operating large scale "covert networks" – botnets built from compromised routers, and other edge devices."
"China's military intelligence services "ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes,""
Hedge terms observed