The long-running espionage crew known as Patchwork, also tracked as Dropping Elephant, has resurfaced with a significantly upgraded toolkit built to slip past disk-based defenses, according to researchers at Rapid7. The group baited victims with a Chinese-language decoy, a fake contract acceptance notice for an industrial seawater pump project, and used it to quietly load a heavily reworked remote access trojan (RAT) directly into memory.
Patchwork is an India-aligned threat actor that has been active for years against targets across Asia. What makes this campaign notable is not a new victim but a new level of stealth: Rapid7 says the malware now runs almost entirely in memory, leaving little for traditional antivirus to catch.
How the attack works
The infection starts with a Windows shortcut file, GRES3001.lnk, disguised as a PDF. When opened, it spawns an obfuscated PowerShell downloader that reaches out to the staging server chinagreenenergy[.]org, pulls down a decoy document to distract the victim, and stages the real payloads in the background. The attackers then abuse a legitimate, signed Microsoft program called Fondue.exe to "side-load" a malicious DLL, a trick that lets the malware run under the cover of a trusted process. A scheduled task named GoogleErrorReport relaunches the chain every minute for persistence.
From there the loader decrypts an AES-wrapped payload and uses an open-source tool called Donut to map the final 32-bit RAT straight into memory. The RAT hides itself with control-flow flattening and runtime API reconstruction, and protects its command traffic with HTTPS and Salsa20 encryption. Despite the overhaul, Rapid7 tied it back to older Dropping Elephant samples through shared beaconing patterns, screenshot-capture logic, and reused code constants.
Why it matters
The China-themed lure points to targeting of Chinese interests, continuing Patchwork regional espionage focus. The bigger takeaway for defenders is that signature-based and disk-scanning tools are increasingly blind to this style of attack. Rapid7 stresses that the most durable detections are behavioral: a shortcut file spawning PowerShell, files dropped into C:\Users\Public\, a scheduled task running every minute, and Fondue.exe loading a control-panel file from a user directory rather than a Windows system folder. IntelFusions has documented similar LNK-to-PowerShell espionage chains used by North Korea Kimsuky group, and the broader move toward memory-resident implants seen across modern state-aligned operations.
What you should do
Block or closely monitor PowerShell launched by shortcut files, alert on scheduled tasks created with generic names like GoogleErrorReport, and ensure endpoint tooling can spot in-memory payloads and tampering with AMSI, WLDP, and ETW. Treat unexpected use of Fondue.exe outside its normal location as suspicious.
Indicators of compromise
Selected defanged indicators: staging URLs hxxps://chinagreenenergy[.]org/doc/35566/SXxls and hxxps://chinagreenenergy[.]org/doc/list/load-list/8daaa3e4-c85e-40c1-a2a2-94679e94c417; loader DLL (APPWIZ.cpl) SHA-256 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6. Full indicators are in the original Rapid7 report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.