The StreamSpy Breach: Patchwork’s Stealthy New Trojan Targets Pakistan Defense
The hacking group known as Patchwork—also referred to as Dropping Elephant and Maha Grass—has once again come under scrutiny following a series of targeted attacks against Pakistan’s defense institutions. In its latest campaign, the group employed phishing emails carrying ZIP archives that concealed an MSBuild project. When executed, the project triggers a loader that installs Python-based malware on the victim’s system.
The malware is capable of connecting to a remote server, executing Python modules, running arbitrary commands, and facilitating file transfers. Throughout this campaign, the attackers relied on carefully layered obfuscation techniques, ranging from modified runtime environments to covert communication channels and multiple persistence mechanisms.
Since late 2025, the group has been associated with a new trojan dubbed StreamSpy. This previously unknown malware uses both WebSocket and HTTP protocols to separate command-and-control from file transfer operations: instructions are delivered via WebSocket, while files are intercepted and exfiltrated over HTTP.
Analysis conducted by the Chinese cybersecurity firm QiAnXin indicates that StreamSpy shares notable similarities with another malware strain known as Spyder, which is itself believed to be a modification of the WarHawk family linked to the SideWinder group. Patchwork’s use of Spyder has been observed as far back as 2023.
StreamSpy is distributed through archives with names such as “OPS-VII-SIR.zip,” hosted on the domain firebasescloudemail[.]com. The primary executable, Annexure.exe, collects system information and can establish persistence via the Windows registry, the task scheduler, or an LNK file placed in the startup folder. Communication with the command server is handled through two distinct channels: WebSocket and HTTP.
The malware’s capabilities include downloading and opening files, executing commands through various shells, gathering information about the file system and connected drives, transferring and deleting files, and enumerating the contents of specific directories. Certain commands retrieve encrypted ZIP archives, unpack them, and automatically execute their contents.
QiAnXin also observed that variants of Spyder with enhanced data-harvesting functionality were being distributed from the same resource. Moreover, the digital signature of Annexure.exe overlaps with that of another trojan, ShadowAgent, attributed to the DoNot group (also known as Brainworm). As early as November 2025, the 360 Threat Intelligence Center classified this executable as ShadowAgent.
According to Chinese analysts, the emergence of StreamSpy and the evolution of Spyder variants indicate that Maha Grass is actively expanding its malware arsenal. The use of WebSocket channels in StreamSpy can be interpreted as an attempt to evade traffic filtering and conceal command activity. Furthermore, the similarities between these samples suggest that Patchwork and DoNot are likely sharing tools, resources, and technical expertise.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
