ZIP Archive and Hidden MSBuild: What Makes Up the New Attack on Military Targets That Antiviruses Missed
While intelligence agencies were hunting for sophisticated malware, spies simply walked through the front door.
While intelligence agencies were hunting for sophisticated malware, spies simply walked through the front door.
The hacking group Patchwork, also known as Dropping Elephant and Maha Grass, has once again come under the spotlight after a series of targeted attacks on Pakistani defense structures. In their latest campaign, the attackers used phishing emails containing ZIP archives, which hid an MSBuild project. Upon execution, it triggers a loader that installs malware written in Python.
The malware can connect to a remote server, run Python modules, execute commands, and facilitate file exchange. This campaign employed meticulous obfuscation techniques — ranging from modified runtime environments to covert communication channels and persistence methods.
Since late 2025, the group has been linked to a new Trojan named StreamSpy. This previously unknown program uses WebSocket and HTTP protocols to separate command and control from file transfer. Instructions from the server are received via WebSocket, while files are intercepted and sent via HTTP.
Analysis conducted by the Chinese company QiAnXin revealed that StreamSpy shares similarities with another malware called Spyder, which is itself considered a modification of the WarHawk family associated with the SideWinder group. The use of Spyder by the Patchwork group has been documented since 2023.
StreamSpy is distributed via archives with names like "OPS-VII-SIR.zip," hosted on the domain "firebasescloudemail[.]com". The main executable file — "Annexure.exe" — collects system information and can achieve persistence through the registry, Task Scheduler, or an LNK file in the startup folder. Communication with the command and control server is implemented through two channels: WebSocket and HTTP.
Among the malware's capabilities are downloading and opening files, executing commands via various shells, gathering information about the file system and connected drives, transferring and deleting files, as well as viewing the contents of specific folders. Some commands download encrypted ZIP files, extract them, and automatically execute the contents.
QiAnXin also noted that variants of Spyder with extended data collection capabilities are distributed from the same resource. Moreover, the digital signature of "Annexure.exe" overlaps with another Trojan — ShadowAgent, attributed to the DoNot group (also known as Brainworm). As early as November 2025, the Threat Analysis Center 360 classified this executable as ShadowAgent.
According to Chinese experts, the emergence of StreamSpy and modifications of Spyder indicates that Maha Grass is actively advancing its cyber arsenal. The use of WebSocket channels in StreamSpy can be seen as an attempt to bypass traffic filtering and conceal command activity. Furthermore, the similarity of the samples confirms that Patchwork and DoNot are likely sharing resources and technologies.
