Indian Hacker Group Involved in Cyber Attacks in Pakistan, China

The PatchWork APT group, also known as Mahabusa and White Elephant, is reportedly involved in cyber-attacks in Pakistan, as stated in an advisory issued by the Cabinet Division. This group is believed to be sponsored by the Indian government and has been actively targeting both Chinese and Pakistani state institutions with the aim of data exfiltration.

PatchWork, which has been operating in cyberspace since around 2015, gained notoriety in 2017 when cybersecurity researchers began identifying its methods of operation and malicious activities. Such state-sponsored hacking groups are a growing concern in the realm of cybersecurity, as they can have significant implications for the targeted countries and organizations. Efforts to detect, defend against, and attribute cyberattacks like these are ongoing challenges for governments and cybersecurity experts.


The advisory from the Cabinet Division provides valuable insights into the tactics and techniques employed by the PatchWork APT group in targeting Asian regions, with a particular focus on countries like Pakistan and China. The methods used by this group include spear phishing emails, whaling (targeting high-profile individuals), social engineering, and masquerading techniques. These techniques involve the use of crafted malicious emails, fake rating websites designed to appear legitimate to gain users’ trust, and social media links leading to the download of malicious mobile apps.

PatchWork is known to utilize various malicious tools, including Android RAT (Remote Access Trojans), Bad News RAT, and file stealer malware, to compromise user systems and networks. The advisory has identified specific URLs and malicious attachments associated with these cyber-attacks, such as domains like,, and The advisory recommends blocking these URLs and has provided a list of malicious links for this purpose.

To enhance cybersecurity and protect against such threats, government officials have been advised not to share personal details and credentials with unauthorized or suspicious users, websites, or applications. They are also urged not to install unknown and suspicious applications and to exercise caution when clicking on links and attachments. Instead, they are encouraged to manually type URLs in the browser to minimize the risk of falling victim to phishing attempts and malware downloads. These precautions can significantly contribute to safeguarding sensitive information and systems from cyber threats.


The advisory issued by the Cabinet Division contains a comprehensive set of cybersecurity recommendations for government officials and departments to protect against various cyber threats, including social engineering and phishing attacks. Here are the key points:

1. Use HTTPS: Government officials are advised to always open websites with HTTPS (secure, encrypted connections) and avoid visiting HTTP websites, which are less secure.

2. Avoid Personal Accounts: It is recommended not to use personal accounts on official systems to prevent the mixing of personal and professional data, which can pose security risks.

3. Beware of Email Links: Officials are urged not to follow web links in emails to avoid falling victim to social engineering and phishing attacks, which often use deceptive email links.

4. Phishing Training: Government departments and officials should provide training to users to help them recognize and report phishing attempts effectively.

5. Multi-Factor Authentication (MFA): MFA should be implemented wherever possible to add an extra layer of security to accounts and systems.

6. Regular System Review: Regularly reviewing application permissions, monitoring system running processes, and assessing storage utilization can help detect and mitigate security risks.

7. Email Security: Use reputable and licensed business email gateways, anti-phishing, and anti-spam solutions to filter out malicious emails and attachments.

8. Document Scanning: Always scan every document before opening or downloading it, preferably using built-in antivirus tools on email servers, to prevent malware infections.

9. Application Whitelisting: Implement application whitelisting, which allows only specified and trusted applications to run while blocking all other, potentially harmful, applications.

These recommendations are crucial for enhancing cybersecurity within government institutions and ensuring the protection of sensitive data and systems against cyber threats.

The advisory additionally calls upon administrators to provide internet access selectively based on users’ specific requirements, enforce limitations on data usage and application privileges, and employ digital code-signing methods for verifying software and documents before downloading. Furthermore, it recommends implementing Multi-Factor Authentication (MFA) in the administrator controls of mailing systems and other vital systems, along with regular password updates at the administrator level.

Leave a Comment