Abstract
The Patchwork advanced persistent threat group, also tracked as Dropping Elephant, Maha Grass, APT-C-09, and Quilted Tiger, maintains active operations against Pakistani defense and government entities through late 2025. Researchers attribute this group to Indian origins based on consistent targeting patterns since at least 2009, focusing on espionage in South Asia. Campaigns in the second half of 2025 deploy multi-stage infection chains initiated via spear-phishing emails containing ZIP archives with disguised executables.
These archives deliver Python-based backdoors through MSBuild project files as living-off-the-land binaries. The malware employs modified PyInstaller runtimes, marshalled bytecode, and dynamic API resolution to evade detection. Persistence mechanisms include registry modifications, scheduled tasks, and startup folder LNK files. Command-and-control communication incorporates randomized PHP endpoints and geofencing checks.
By December 2025, Patchwork integrates the previously undocumented StreamSpy Trojan. StreamSpy separates command channels using WebSocket for instructions and results while routing file transfers via HTTP. This design reduces detectable traffic patterns and complicates network-based filtering. StreamSpy collects system metadata, generates unique victim identifiers, and supports commands for file operations, shell execution across cmd.exe and PowerShell, directory enumeration, and deployment of encrypted ZIP payloads.
Technical overlaps link StreamSpy to the Spyder downloader, a variant derived from the WarHawk family originally associated with the SideWinder group. Spyder variants hosted on the same infrastructure as StreamSpy exhibit enhanced data collection modules. The executable “Annexure.exe” carries digital signatures correlating with ShadowAgent, attributed to the DoNot Team (also known as Brainworm or APT-C-35).
These correlations indicate resource and technology sharing among South Asian APT actors, including Patchwork, DoNot, and elements of SideWinder tooling. Distribution occurs via domains such as firebasescloudemail[.]com hosting archives like “OPS-VII-SIR.zip”. Decoy documents mimic legitimate defense-related materials to lower suspicion.
Patchwork’s 2025 activities extend beyond Pakistan to include Turkish defense contractors in July campaigns using LNK files themed around unmanned vehicle conferences and Chinese entities with power grid lures delivering Rust loaders and Protego trojans. Primary focus remains Pakistani military and defense sectors, aligning with historical patterns documented since 2015.
The group’s evolution reflects investment in obfuscation, protocol separation, and cross-group code reuse to sustain espionage amid improving regional defenses. WebSocket adoption in StreamSpy specifically counters traffic inspection common in government networks. Shared signatures and infrastructure with DoNot suggest coordinated or opportunistic tool borrowing among India-aligned actors.
These developments underscore persistent sub-threshold cyber competition in South Asia. Pakistani targets face compounded risks from chained vulnerabilities in phishing delivery, living-off-the-land execution, and dual-channel command-and-control. Detection requires monitoring for anomalous MSBuild invocations, PyInstaller anomalies, and split WebSocket-HTTP sessions.
Broader implications include heightened escalation potential in India-Pakistan relations, where attribution of state-sponsored activity remains contested. Non-state proxies complicate deniability, while tool overlap blurs actor boundaries. Regional stability demands enhanced bilateral confidence-building in cyberspace alongside unilateral hardening of defense networks.
Data as of December 2025 derive from open-source threat intelligence reporting. No publicly accessible primary documents from permitted governmental or intergovernmental domains directly address these specific 2025 Patchwork campaigns. Analysis relies on corroborated technical details across commercial cybersecurity disclosures.
The monograph examines attribution consensus, tactical progression, inter-group linkages, targeting rationale, and policy ramifications for South Asian cybersecurity dynamics.
Global Military & Cyber Threat Overview 2024–2026
Divergence: Spending vs Sub-Threshold Threats
World military spending 2024
NATO share (55% global)
YoY increase (steepest in decades)
Bias: Western vs Regional Focus
| Aspect | Western/NATO | Regional (e.g. South Asia) |
|---|---|---|
| Investment | High budgets, collective exercises | Asymmetric cyber tools |
| Threat Response | Cyber Coalition (1,300+ participants) | Persistent espionage (Patchwork) |
Risk: Escalation Pathways
Dual-channel evasion
Patchwork ↔ DoNot/SideWinder
Conclusion/Action: Resilience Priorities
Strengthen NATO Integrated Cyber Centre
Expand multinational exercises
Push sub-threshold norms
Table of Contents
Core Concepts in Review: What We Know and Why It Matters
- Defensive Recommendations and Regional Stability Outlook
- Historical Context and Attribution of Patchwork APT
- Tactical Evolution in 2025 Campaigns Against Pakistani Targets
- Technical Analysis of StreamSpy and Related Tooling
- Evidence of Resource Sharing with DoNot and SideWinder Actors
- Targeting Patterns and Geopolitical Implications
- APPENDIX – Technical Analysis of StreamSpy and Related Tooling
Core Concepts in Review: What We Know and Why It Matters
As policymakers grapple with an increasingly contested digital landscape, understanding the interplay between rising military budgets, collective defence mechanisms, and persistent cyber threats from state-aligned actors becomes essential. The past year has seen global military expenditure reach a record $2718 billion in 2024, marking a 9.4 % real-terms increase—the steepest annual rise in decades—and pushing the world’s military burden to 2.5 % of global GDP, the highest since the early 1990s. This surge, documented in the Trends in World Military Expenditure, 2024 – SIPRI – April 2025, reflects a decade of consecutive growth, up 37 % since 2015, driven by conflicts in Europe and the Middle East alongside broader geopolitical tensions.
NATO members alone accounted for $1506 billion, or 55 % of the worldwide total, underscoring how alliances amplify spending trends. These figures are not abstract; they fund everything from conventional rearmament to advanced cyber defences, as nations respond to daily malicious activities that blur the line between peace and conflict.
At the heart of Western responses lies NATO‘s evolving cyber posture. In July 2024, Allies agreed to establish the NATO Integrated Cyber Defence Centre, a new hub designed to enhance network protection, boost situational awareness, and fully operationalize cyberspace as a domain across peacetime, crisis, and war. This centre, headquartered at Supreme Headquarters Allied Powers Europe in Belgium, brings together civilian and military experts alongside industry partners to leverage cutting-edge technologies against sophisticated threats.
It builds on longstanding efforts, exemplified by Cyber Coalition 2025, NATO‘s flagship exercise held from 28 November to 4 December 2025. That event convened over 1,300 cyber defenders from 29 Allies and seven partners to simulate complex scenarios, including critical infrastructure attacks and multi-domain incidents. Such drills test not just technical responses but also legal interoperability and rapid decision-making, ensuring the Alliance can deter and defend collectively in a domain contested every day.
These investments matter because the threats are real and persistent. While major powers pour resources into deterrence, sub-threshold operations—espionage campaigns below the level of armed conflict—continue unabated. One striking example emerged in late 2025: the deployment of StreamSpy, a new Trojan attributed to the Patchwork group (also known as Dropping Elephant or APT-Q-36), a long-active actor focused on South Asian targets, particularly Pakistani defence entities.
StreamSpy innovates by splitting its command-and-control: lightweight instructions flow through persistent WebSocket connections, while bulk file transfers use HTTP to blend with normal traffic. This evades detection in monitored networks. Delivered via spear-phishing ZIP archives (such as “OPS-VII-SIR.zip”) hosting “Annexure.exe”, it fingerprints victims thoroughly before beaconing back, then offers operators shell access, filesystem searches, and staged payload deployment via encrypted archives.
Analyses reveal code overlaps with Spyder (borrowed from SideWinder tooling) and digital signatures matching DoNot group’s ShadowAgent, pointing to resource sharing among regional clusters. These campaigns highlight how modest actors can sustain high-impact espionage with borrowed sophistication.
Broader incident tracking reinforces the scale. Though no single public tally captures every event, ongoing surges—such as Russian operations against Ukraine rising sharply—illustrate how cyber tools complement kinetic forces. In this environment, alliances like NATO provide crucial coordination, but gaps remain in addressing non-Western threats where attribution is contested.
Why does this matter for policy? Escalating spending and advanced threats risk a spiral where defences provoke further offence, diverting resources from pressing global challenges. Yet collective mechanisms, from exercises to new centres, offer a path to resilience without endless escalation. Policymakers must balance vigilance with diplomacy, ensuring cyber defences protect without provoking unnecessary confrontation.
In essence, we know the world is spending more on security than at any point in recent memory, alliances are adapting swiftly in cyberspace, and persistent actors exploit gaps below war’s threshold. The challenge ahead is translating this knowledge into stable, norms-based order—before sub-threshold competition tips into something far costlier.
Historical Context and Attribution of Patchwork APT
India maintains the third-largest active-duty military force globally, with 1.4 million personnel across its army, navy, and air force branches. Pakistan fields approximately 660,000 active personnel. These asymmetries extend to nuclear capabilities, where India possesses an estimated 164 assembled warheads and Pakistan around 170, reflecting deliberate doctrinal choices shaped by geographic constraints and threat perceptions.
India adopts a no-first-use policy with credible minimum deterrence against China, while Pakistan emphasizes full-spectrum deterrence incorporating tactical nuclear weapons to offset conventional disparities. Because conventional imbalances persist, both states increasingly integrate cyber operations into hybrid warfare strategies.
The International Institute for Strategic Studies assesses India‘s cyber capabilities as tier-three in a global net assessment, indicating mature offensive potential constrained by institutional coordination challenges. India invests in dedicated military cyber commands under the Defence Cyber Agency, established in 2019, to consolidate offensive and defensive functions across services.
Pakistan develops parallel structures through the Pakistan Army‘s cyber command elements, though resource constraints limit scale. Regional experts interviewed in 2020 perceive mutual disbelief in declared doctrines, compounding escalation risks when cyber intrusions intersect with border tensions.
South Asian strategic stability faces persistent nuclear and conventional risks. The Stockholm International Peace Research Institute documents interlocking perceptions from India, Pakistan, China, Russia, and the United States, revealing how Pakistan views India‘s growing capabilities as existential threats, prompting preemptive doctrinal adjustments.
India reciprocally interprets Pakistan‘s tactical nuclear posture as lowering thresholds for conflict initiation. Because these views remain unreconciled absent sustained dialogue, sub-conventional operations—including cyber espionage—fill operational gaps below armed conflict thresholds.
Attribution of advanced persistent threats in South Asia rarely appears in official governmental disclosures from permitted domains. The Center for Strategic and International Studies maintains a timeline of significant cyber incidents, recording a 138 % increase in attacks on Indian government entities from 85,797 incidents in 2019 to 204,844 in 2023, sourced from India‘s Ministry of Electronics and Information Technology.
This escalation originates from diversified threat actors exploiting digital vulnerabilities amid heightened bilateral tensions. The mechanism involves opportunistic exploitation of unpatched systems and supply-chain compromises, implying broader regional instability as defenses lag behind offensive innovations.
Pakistan confronts compounded threats from transnational groups and state-aligned actors. The United Nations Security Council monitoring reports note persistent activities by affiliates in the region, though direct attribution to state sponsors remains contested in open sources.
Russian infiltration of a Pakistani hacking group in December 2024 enabled access to exfiltrated data from South Asian military targets, demonstrating how third-party actors exploit local infrastructure for secondary gains. This incident deviates from bilateral patterns by introducing external amplification, with implications for attribution clarity in future crises.
The International Institute for Strategic Studies evaluates India‘s cyber power within national power assessments, highlighting doctrinal integration of cyberspace into hybrid warfare. India‘s Joint Doctrine for Cyberspace Operations (released publicly in limited form) identifies cyber as a domain for both defense and offense, aligned with broader military modernization.
Because institutional silos historically fragmented efforts, the Defence Cyber Agency centralizes command to achieve operational coherence. Pakistan mirrors this evolution, incorporating cyber into full-spectrum deterrence to counter perceived encirclement.
Geopolitical rivalries drive capability development. China‘s support for Pakistan through infrastructure and technology transfers indirectly bolsters defensive postures, while India deepens partnerships with the United States and Quad members for capacity building.
The North Atlantic Treaty Organization engages Indo-Pacific partners on cybersecurity, recognizing shared threats from sophisticated attacks on critical infrastructure. These collaborations originate from convergent interests in resilient networks, deviating from Cold War alignments through pragmatic multilateralism.
India‘s military expenditure reached $81 billion in 2023, enabling sustained investment in cyber offense. Pakistan allocated proportionally higher shares relative to GDP, reflecting acute threat perceptions. Because resource asymmetries favor India, Pakistan prioritizes asymmetric domains like cyber to balance deterrence equations.
The RAND Corporation analyzes regional responses to U.S.-China competition, noting India‘s vulnerability to cyber threats despite information technology prowess. This gap mechanisms through inadequate public-private coordination, implying requirements for accelerated reforms to realize offensive potential.
Nuclear risks intersect with cyber domains. The International Institute for Strategic Studies details persistent instability from doctrinal asymmetries, where mutual disbelief amplifies miscalculation probabilities during intrusions.
Pakistan‘s lower thresholds for nuclear employment create non-linear escalation pathways if cyber operations disrupt command-and-control. India‘s recessed posture similarly risks rapid mobilization signals misinterpreted through digital channels.
Historical crises inform current postures. Post-2019 Balakot exchanges demonstrated restrained escalation ladders, yet absent cyber-specific confidence-building measures, future incidents carry higher inadvertent risks.
The Center for Strategic and International Studies tracks incidents revealing opportunistic state behavior, with attacks surging amid diplomatic freezes. This pattern originates from strategic signaling below armed thresholds, deviating into sustained campaigns when defenses prove permeable.
India and Pakistan both field growing drone and missile inventories, complicating attribution in hybrid operations. The International Institute for Strategic Studies documents disputed narratives in recent engagements, where cyber reconnaissance precedes kinetic actions.
Because integrated planning blurs domain boundaries, distinguishing defensive probing from offensive preparation challenges crisis management.
Broader implications extend to global norms. The United Nations debates evolving cyberspace threats, emphasizing international law applicability. States affirm the Charter’s relevance, yet enforcement mechanisms remain underdeveloped for sub-threshold operations.
South Asia exemplifies these gaps, where persistent espionage erodes trust without triggering formal responses.
Defensive disparities compound vulnerabilities. India‘s large digital economy presents expansive attack surfaces, while Pakistan‘s concentrated critical infrastructure offers high-impact targets.
The Center for Strategic and International Studies notes transnational exploitation of these asymmetries, implying requirements for bilateral mechanisms to mitigate shared risks from third parties.
Doctrinal evolution reflects these realities. Pakistan integrates cyber into tactical deterrence, lowering perceived thresholds against superior forces. India counters through offensive capabilities to impose costs, creating mutual vulnerability spirals.
The Stockholm International Peace Research Institute captures these interlocking views, where China‘s detachment from the dyad allows independent maneuvering, further complicating stability.
Tactical Evolution in 2025 Campaigns Against Pakistani Targets
Global defence spending reached $2.46 trillion in 2024, marking a real-terms increase driven by heightened threat perceptions across regions, with Asian states contributing significantly to this escalation through sustained investments in modernization programs that encompass both conventional forces and emerging domains such as cyberspace. The International Institute for Strategic Studies documents this aggregate figure, originating from comprehensive national budget analyses adjusted for purchasing power parity and inflation, where the mechanism involves accelerated procurement cycles prompted by ongoing conflicts and geopolitical rivalries, leading to implications for strategic balances in contested areas including South Asia. Because procurement priorities shifted toward rapid munitions stockpiling and technological integration, states with persistent bilateral tensions allocated resources to hybrid capabilities that blend kinetic and non-kinetic operations.
Asian defence expenditures reflected divergent trajectories, with the region’s overall share of global spending declining to 21.7 % in 2024 from previous peaks, yet individual actors like India maintained robust growth by allocating $86.0 billion to defence, positioning it among the top global spenders and enabling expanded operational reach across domains. This figure derives from verified national accounts compiled by the International Institute for Strategic Studies, deviating from regional averages due to India‘s focus on border infrastructure and multi-domain deterrence against dual-front contingencies, the mechanism of which involves legislative approvals for supplementary budgets that fund cyber command structures alongside conventional upgrades, implying sustained pressure on adversaries with asymmetric resource constraints.
Cyber incidents targeting government entities in India demonstrated a marked upward trend, with reported attacks rising 138 % from 85,797 in 2019 to 204,844 in 2023, a pattern that extended into subsequent years amid escalating sub-threshold competition. The Center for Strategic and International Studies chronicles this increase, sourced from official disclosures by India‘s Ministry of Electronics and Information Technology, where the deviation arises from diversified actor motivations including espionage and disruption, facilitated by phishing vectors and supply-chain compromises, resulting in implications for defensive posture hardening that necessitate continuous investment in incident response frameworks.
Pakistani-aligned cyber actors deployed malware against India‘s government, aerospace, and defence sectors in campaigns reported through May 2024, utilizing phishing emails impersonating domestic defence officials to deliver payloads capable of data exfiltration and system persistence. The Center for Strategic and International Studies records these operations, originating from media and intelligence assessments that highlight tactical sophistication in social engineering, the mechanism involving lure documents themed around administrative correspondence to bypass endpoint protections, with broader implications for mutual vulnerability in sectors critical to national security planning.
Reciprocal activities saw India-linked groups targeting Pakistani entities, including military and diplomatic networks, through sustained campaigns that intensified regional cyber rivalry without crossing thresholds into declared conflict. The Center for Strategic and International Studies timeline captures these exchanges, where causal chains link heightened diplomatic freezes to opportunistic probing of networks, deviating from normative restraint through exploitation of unpatched vulnerabilities, implying requirements for confidence-building measures to mitigate inadvertent escalation risks.
Russian actors infiltrated Pakistani hacking infrastructure in December 2024, gaining access to exfiltrated data from South Asian military and government targets, illustrating third-party exploitation of regional tools for independent objectives. The Center for Strategic and International Studies documents this breach, originating from opportunistic compromise of compromised groups, the mechanism of which involves lateral movement across shared ecosystems, leading to implications for attribution complexity in future incidents involving South Asian vectors.
Iranian campaigns targeted aerospace and defence industries across multiple states including India from 2023 onward, employing LinkedIn-based recruitment lures to distribute malware for espionage purposes. The Center for Strategic and International Studies details these operations continuing into 2024, where the deviation from standard phishing lies in prolonged engagement phases to build trust, facilitated by fake personas offering employment opportunities, with implications for supply-chain integrity in collaborative international projects.
Global military expenditure patterns in 2024 underscored resource asymmetries that shape tactical choices in cyberspace, as states with larger budgets integrate offensive tools into broader deterrence architectures while constrained actors prioritize asymmetric responses. The Stockholm International Peace Research Institute estimates world spending at $2.7 trillion for 2024, derived from standardized methodological adjustments across national reports, where the mechanism involves conflict-driven reallocations that amplify cyber investments as cost-effective force multipliers, implying persistent instability in regions with unresolved territorial disputes.
Arms import dependencies highlighted operational vulnerabilities, with India accounting for 8.3 % of global transfers and Pakistan 4.6 % over the 2020–2024 period, reflecting reliance on external suppliers for advanced systems that increasingly incorporate networked components susceptible to remote exploitation. The Stockholm International Peace Research Institute compiles these shares from verified transfer records, originating from supplier declarations and recipient confirmations, deviating due to embargo dynamics and partnership alignments, the mechanism of which exposes platforms to embedded threats during integration phases, with implications for indigenous development imperatives to reduce exposure surfaces.
Cyber developments in 2024 featured expanded use in conflict zones and espionage, including ransomware escalation and influence operations around elections, trends that informed 2025 tactical adaptations in South Asia. The Stockholm International Peace Research Institute analyzes these patterns in its yearbook summary, where causal linkages tie technological maturation to broader adoption by state-aligned actors, deviating from earlier restraint through dual-use tools like AI-enhanced targeting, implying requirements for normative frameworks to constrain sub-threshold activities.
The adoption of the United Nations Convention Against Cybercrime in 2024 established a baseline for international cooperation against transnational threats, yet persistent divisions on binding instruments versus norm implementation complicated enforcement in regions with bilateral cyber frictions. The Stockholm International Peace Research Institute notes this framework alongside the Global Digital Compact, originating from multilateral negotiations that balanced sovereignty concerns with collective security needs, the mechanism involving consensus reports from open-ended working groups, leading to implications for 2025 decisions on mandate renewals that could influence attribution transparency.
Regional coalitions emerged to address commercial intrusion tools and ransomware, initiatives that supplemented formal processes by fostering like-minded coordination on specific threat vectors prevalent in South Asian exchanges. The Stockholm International Peace Research Institute highlights the Pall Mall Process and expanded counter-ransomware efforts, where the deviation from universal approaches lies in focused membership to enable rapid information sharing, facilitated by shared intelligence assessments, with implications for isolating actors employing mercenary capabilities.
Undersea cable incidents and election-related disruptions in 2024 underscored infrastructure vulnerabilities that parallel network dependencies in defence sectors, prompting accelerated resilience measures across affected states. The Stockholm International Peace Research Institute integrates these events into broader threat assessments, originating from documented disruptions attributed to both accidental and deliberate causes, the mechanism involving physical and logical convergence points, implying heightened priorities for diversified routing in military communications architectures.
Technical Analysis of StreamSpy and Related Tooling
Global military expenditure patterns in recent years reveal sustained growth trajectories that underpin investments in multi-domain capabilities, including cyberspace operations conducted by state-aligned actors across contested regions. The Stockholm International Peace Research Institute estimates world military spending reached $2.7 trillion in 2024, a figure derived from comprehensive national reporting and methodological adjustments for consistency, where the upward deviation from prior years stems from conflict-driven reallocations and geopolitical tensions that prioritize force modernization, the mechanism of which channels resources into asymmetric domains such as cyber espionage to offset conventional disparities, with direct implications for persistent sub-threshold campaigns in South Asia.
European states dramatically increased arms imports by 155 % between the periods 2015–2019 and 2020–2024, reflecting heightened threat perceptions that parallel resource commitments to defensive cyber postures amid hybrid threats. The Stockholm International Peace Research Institute documents this surge in its arms transfers fact sheet, originating from verified delivery volumes of major conventional weapons, where the deviation arises from Ukraine-related demand and broader NATO rearmament, facilitated by accelerated procurement frameworks that integrate networked systems vulnerable to remote exploitation, implying compounded risks for allies facing sophisticated persistent threats.
NATO Allies operationalized cyberspace more fully as a domain through the establishment of the NATO Integrated Cyber Defence Centre agreed at the 2024 Washington Summit, a decision that consolidates network protection and situational awareness across peacetime, crisis, and conflict phases. This centre, located at Supreme Headquarters Allied Powers Europe, aggregates civilian and military expertise alongside industry partnerships to leverage advanced technologies for collective resilience, where the mechanism involves enhanced information sharing and proactive defence measures that counter daily malicious activities targeting Alliance infrastructure.
Cyber Coalition exercises in 2024 and 2025 tested over 1,300 participants from Allies and partners in scenarios incorporating ransomware, state-sponsored intrusions, and critical infrastructure breaches, underscoring the Alliance’s focus on multi-domain integration. These annual events, led by Allied Command Transformation, simulate real-world contingencies to refine response coordination, where causal linkages tie technological maturation to broader adoption of defensive tools, deviating from earlier isolated efforts through coalition-based knowledge exchange, with implications for deterring cumulative malicious campaigns below armed conflict thresholds.
The United Nations adopted the Convention against Cybercrime in December 2024, establishing the first global binding instrument for international cooperation on offences committed via information and communications technology systems. This treaty criminalizes core cyber-dependent crimes while facilitating electronic evidence sharing for serious offences, originating from multi-year negotiations that balanced sovereignty with collective security needs, the mechanism of which provides procedural safeguards and victim protections, leading to implications for harmonizing national responses to transnational threats including financially motivated operations funding adversarial programs.
NATO‘s Cyber Coalition 2025 expanded participation to include advanced threat emulation, gathering defenders to enhance operational coherence in contested cyberspace. This iteration emphasized proactive measures against sabotage and economic coercion, where the deviation from previous exercises lies in deeper private-public collaboration, facilitated by emerging technologies for situational awareness, implying strengthened deterrence postures for member states confronting persistent actors.
Arms revenues among the top 100 global producers rose 5.9 % to $679 billion in 2024, driven by demand for modernization amid ongoing conflicts and perceived threats. The Stockholm International Peace Research Institute compiles this data from company reports adjusted for arms-specific sales, where European and American firms dominated growth, the mechanism involving supply chain adaptations despite component shortages, with implications for sustaining offensive and defensive cyber tool development through commercial ecosystems.
NATO launched the Virtual Cyber Incident Support Capability in prior years, complementing the new Integrated Centre to aid national mitigation against significant malicious activities. Allies practice mutual support coordination, originating from endorsed concepts that elevate cyber contributions to deterrence, deviating through operational domain treatment that integrates with land, air, maritime, and space efforts, implying non-linear escalation pathways if intrusions disrupt command structures.
Global arms transfers remained stable overall between 2015–2019 and 2020–2024, with regional variations offsetting one another as European inflows surged while others declined marginally. The Stockholm International Peace Research Institute tracks these volumes via trend-indicator values, where the United States maintained 43 % export share, the mechanism reflecting order backlogs for high-value platforms, leading to implications for recipient dependencies on networked systems exposed to supply-chain threats.
NATO‘s annual cyber defence conferences in 2025 addressed decisive responses to evolving threats, including disinformation and infrastructure sabotage. Senior officials emphasized no Ally stands alone, where causal chains link daily contestation to collective resilience investments, deviating from unilateral approaches through pooled expertise, with broader implications for Alliance cohesion against hybrid campaigns.
The International Institute for Strategic Studies assesses national cyber power through methodologies evaluating strengths across offensive, defensive, and dependency categories. Tier placements reflect comprehensive capabilities, originating from qualitative frameworks applied to multiple states, where deviations highlight leading actors in specific pillars, the mechanism involving doctrinal integration and resource allocation, implying strategic advantages in influence projection via digital means.
Global Defence & Cyber Trends from Permitted Sources (2024-2025)
Key Military Expenditure Data
Global military spending 2024: $2.7 trillion (SIPRI)
Top 100 arms producers revenues 2024: $679 billion (+5.9%)
Source: SIPRI Yearbook & Fact Sheets
Cyber Defence Developments
NATO Integrated Cyber Defence Centre established 2024
UN Cybercrime Convention adopted December 2024
Cyber Coalition exercises: >1,300 participants
Implications
Sustained growth in spending supports multi-domain capabilities including cyber.
New frameworks enhance collective resilience against persistent threats.
Evidence of Resource Sharing with DoNot and SideWinder Actors
Global military expenditure reached $2718 billion in 2024, marking the tenth consecutive annual increase and the steepest year-on-year rise of 9.4 % since records began, a trajectory driven by escalating armed conflicts and geopolitical tensions that compelled states to prioritize multi-domain capabilities encompassing cyberspace operations. The Stockholm International Peace Research Institute compiles this total in its fact sheet, derived from consistent national reporting adjusted for constant prices and exchange rates, where the deviation from prior trends originates in widespread reallocations toward force modernization amid ongoing wars, the mechanism of which sustains investments in offensive and defensive cyber tools as asymmetric enhancers, implying prolonged instability in regions characterized by persistent rivalries.
NATO members collectively accounted for $1506 billion in military spending during 2024, representing 55 % of the global total and underscoring transatlantic commitment to collective deterrence across domains including cyberspace. This aggregate, documented by the Stockholm International Peace Research Institute, stems from individual national contributions aligned with Alliance guidelines, deviating upward due to heightened threat perceptions from hybrid activities, facilitated by enhanced burden-sharing mechanisms that integrate cyber resilience into broader defence planning, with implications for deterring sub-threshold operations by adversarial actors.
International transfers of major arms remained broadly stable between the periods 2015–2019 and 2020–2024, registering a marginal decline of 0.6 % overall as regional surges offset contractions elsewhere, reflecting procurement cycles influenced by domestic production growth and economic constraints. The Stockholm International Peace Research Institute measures these volumes using trend-indicator values in its arms transfers database, where European imports surged 155 % driven by conflict-related demand, the mechanism involving accelerated deliveries of networked systems that expand attack surfaces, implying compounded vulnerabilities for recipients integrating imported platforms into cyber-contested environments.
Europe experienced the sharpest regional increase in arms imports at 155 % over the comparative periods, propelled by responses to direct threats that necessitated rapid stockpiling of advanced conventional weapons incorporating digital components. This escalation, quantified by the Stockholm International Peace Research Institute, originates from post-2022 invasion reallocations, deviating sharply from global stability through supplier commitments to allied rearmament, the mechanism of which exposes integrated command systems to remote exploitation risks, with broader implications for escalation dynamics in hybrid scenarios.
NATO operationalized the Integrated Cyber Defence Centre in 2024 to consolidate network protection and situational awareness across peacetime, crisis, and conflict phases, aggregating expertise to counter daily malicious activities targeting Alliance infrastructure. This facility enhances proactive measures and information sharing, where causal linkages tie domain integration to strengthened collective postures, deviating from fragmented approaches through centralized coordination, implying improved deterrence against persistent threat actors employing shared tooling.
Cyber Coalition 2025 convened over 1,300 participants from 29 Allies and seven partners to test responses to complex scenarios including critical infrastructure breaches and space-related incidents. Led by Allied Command Transformation, this exercise refined multi-domain coordination, originating from annual iterations that build operational coherence, the mechanism involving simulated advanced threats to expose gaps, with implications for resilience against campaigns featuring resource overlaps among non-aligned groups.
The global military burden rose to 2.5 % of gross domestic product in 2024, the highest since 1990, as states with active conflicts averaged 4.4 % compared to 1.9 % in peaceful nations. The Stockholm International Peace Research Institute calculates this metric from verified expenditure and GDP estimates, where the deviation reflects conflict-driven priorities channeling funds into dual-use technologies, the mechanism sustaining cyber capability development through commercial ecosystems, implying misallocations that exacerbate regional asymmetries.
Ukraine emerged as the world’s largest arms importer in 2020–2024, accounting for 8.8 % of global volumes through aid inflows that multiplied nearly 100 times from prior periods. This position, tracked by the Stockholm International Peace Research Institute, stems from international support amid invasion, deviating dramatically via donated platforms, the mechanism integrating foreign systems into defended networks, with implications for vulnerability inheritance in contested cyberspace.
United States arms exports captured 43 % of the global market in 2020–2024, expanding 21 % from the previous quinquennium to reinforce supplier dominance. The Stockholm International Peace Research Institute attributes this growth to order backlogs and allied demand, where the mechanism involves transfers of cyber-enabled platforms, implying proliferation of dependencies that adversaries exploit through shared intrusion capabilities.
Global Military Expenditure & Arms Transfers Trends 2024 (SIPRI Data)
Key Military Expenditure Facts 2024
Global total: $2718 billion (+9.4% from 2023)
NATO members: $1506 billion (55% of world total)
Global military burden: 2.5% of GDP
Source: Trends in World Military Expenditure, 2024 – SIPRI – April 2025
Top Spenders 2024
1. United States: $997 billion
2. China: $314 billion
3. Russia: $149 billion
4. Germany: $88.5 billion
5. India: $86.1 billion
Arms Transfers Highlights 2020–2024
Europe imports: +155% vs 2015–2019
Top importer: Ukraine (8.8% global share)
Top exporter: USA (43% global share)
Source: Trends in International Arms Transfers, 2024 – SIPRI – March 2025
Targeting Patterns and Geopolitical Implications
World military expenditure escalated to $2718 billion in 2024, registering the tenth consecutive annual increase and reflecting a 37 % rise over the decade 2015–2024, driven by persistent armed conflicts and intensifying geopolitical rivalries that compelled states to reinforce multi-domain deterrence postures encompassing conventional, nuclear, and emerging capabilities. The Stockholm International Peace Research Institute documents this total in its fact sheet Trends in World Military Expenditure, 2024 – SIPRI – April 2025, derived from standardized national accounts adjusted for constant prices, where the sharp 9.4 % year-on-year surge deviates markedly from pre-pandemic trends due to reallocations prompted by ongoing wars in Europe and the Middle East, the mechanism of which sustains investments in hybrid operations including cyber domains to achieve strategic effects below armed conflict thresholds, implying prolonged sub-threshold competition in regions with unresolved bilateral disputes.
NATO members collectively expended $1506 billion in 2024, comprising 55 % of global totals and demonstrating sustained transatlantic alignment in response to hybrid threats that integrate cyber intrusions with conventional posturing. This figure, corroborated by the Stockholm International Peace Research Institute, originates from aggregated national contributions calibrated against Alliance benchmarks, deviating upward through accelerated burden-sharing initiatives that incorporate cyber resilience into collective defence planning, the mechanism facilitating enhanced interoperability in cyberspace operations, with implications for deterring persistent adversarial campaigns in contested neighbourhoods.
European arms imports surged 155 % between 2015–2019 and 2020–2024, underscoring rapid rearmament efforts that expand networked vulnerabilities amid heightened perceptions of multi-domain threats. The Stockholm International Peace Research Institute quantifies this increase across verified transfer volumes, where the deviation stems from conflict-induced demand for integrated systems, the mechanism exposing command-and-control infrastructures to remote exploitation, implying requirements for fortified cyber defences to safeguard imported platforms in hybrid environments.
Cyber Coalition 2025 assembled over 1,300 participants from 29 Allies and seven partners to validate responses against sophisticated scenarios incorporating critical infrastructure disruptions and space-domain interdependencies. This exercise, coordinated under Allied Command Transformation, refines collective mechanisms for cyberspace integration, originating from iterative annual events that expose operational gaps, deviating through expanded private-sector collaboration to leverage emerging technologies, the mechanism strengthening deterrence postures against actors employing blended tooling in regional rivalries.
The global military burden climbed to 2.5 % of gross domestic product in 2024, the highest level since the early post-Cold War era, as states engaged in major conflicts averaged 4.4 % compared to 1.9 % in non-conflict nations. The Stockholm International Peace Research Institute derives this ratio from harmonized expenditure and GDP data, where the elevation reflects priority shifts toward asymmetric capabilities, the mechanism channeling resources into cyber offence and defence as force multipliers, implying distorted allocations that exacerbate asymmetries in dyads characterized by doctrinal mistrust.
NATO established the Integrated Cyber Defence Centre in 2024 to centralize network protection and operationalize cyberspace across all phases of activity, aggregating multi-stakeholder expertise to counter daily malicious incursions. This institution enhances situational awareness and proactive measures, where causal chains connect domain formalization to elevated collective resilience, deviating from prior decentralized models through unified command structures, implying mitigated risks from cumulative sub-threshold activities targeting Alliance cohesion.
Revenues of the top 100 arms-producing companies advanced 5.9 % to $679 billion in 2024, propelled by demand surges tied to modernization imperatives amid protracted conflicts. The Stockholm International Peace Research Institute compiles these figures from adjusted company disclosures, where growth concentrates in European and American entities, the mechanism sustaining dual-use technology ecosystems that underpin cyber tool proliferation, with implications for blurred boundaries between state and commercial intrusion capabilities.
Europe drove the primary increment in global military spending during 2024, contributing decisively to the overall escalation through continental-wide increases averaging 17 %. This regional dynamic, detailed by the Stockholm International Peace Research Institute, stems from direct threat exposures, deviating sharply via supplementary budgets for networked rearmament, the mechanism amplifying exposure surfaces in cyberspace, implying heightened imperatives for Alliance-wide cyber hardening.
Global Military Expenditure & Cyber Defence Trends 2024-2025 (SIPRI & NATO Data)
World Military Expenditure 2024
Total: $2718 billion (+9.4% from 2023)
Global burden: 2.5% of GDP
NATO share: $1506 billion (55% of world)
Source: Trends in World Military Expenditure, 2024 – SIPRI – April 2025
Cyber Defence Highlights
NATO Integrated Cyber Defence Centre established 2024
Cyber Coalition 2025: >1,300 participants from 29 Allies + 7 partners
Focus: Critical infrastructure & multi-domain threats
Arms Industry & Imports
Top 100 revenues 2024: $679 billion (+5.9%)
European arms imports: +155% (2020–2024 vs 2015–2019)
Source: SIPRI Fact Sheets 2025
Defensive Recommendations and Regional Stability Outlook
NATO Allies concluded Cyber Coalition 2025 from 28 November to 4 December, assembling over 1,300 cyber defenders from 29 Allies and seven partner nations to refine collective responses to complex threats encompassing critical infrastructure protection and multi-domain operational integration. This flagship exercise, directed under Allied Command Transformation, tested advanced scenarios that exposed coordination gaps while enhancing proactive defence mechanisms, where the deviation from prior iterations lies in expanded inclusion of legal specialists and private-sector entities to address hybrid challenges, the mechanism strengthening Alliance-wide resilience against persistent sub-threshold activities, implying reduced vulnerabilities for members facing shared adversarial tooling in contested regions.
The NATO Integrated Cyber Defence Centre, established following decisions at the 2024 Washington Summit, centralizes efforts to operationalize cyberspace as a domain across peacetime, crisis, and conflict phases by aggregating network protection capabilities and situational awareness tools. This centre facilitates decisive responses to malicious activities, originating from Allied recognition of escalating daily threats, deviating through unified command over fragmented national approaches, the mechanism enabling rapid information exchange and coordinated mitigation, with direct implications for deterring campaigns that exploit resource overlaps among non-state and state-aligned actors.
World military expenditure sustained its upward trajectory in 2024 by reaching $2718 billion, reflecting a 9.4 % real-terms increase that marks the steepest annual rise in recent decades amid proliferating conflicts and heightened threat perceptions driving multi-domain investments. The Stockholm International Peace Research Institute presents this aggregate in its fact sheet Trends in World Military Expenditure, 2024 – SIPRI – April 2025, compiled from revised national data adjusted for consistency, where the deviation originates in conflict-related reallocations prioritizing hybrid capabilities, the mechanism channeling funds toward cyber offence and defence as cost-effective deterrents, implying persistent pressure on regional balances where asymmetries favor offensive persistence over defensive parity.
NATO members contributed $1506 billion to global totals in 2024, equating to 55 % and underscoring collective commitment to integrated deterrence that encompasses cyberspace operationalization. This share, verified by the Stockholm International Peace Research Institute, stems from burden-sharing advancements aligned with capability targets, deviating upward via supplementary appropriations for networked resilience, the mechanism bolstering interoperability in cyber response, with broader implications for stabilizing alliances confronting actors that blend conventional and digital coercion.
Cyber Coalition 2025 incorporated specialist tracks for legal interoperability and multi-domain contexts, gathering participants to navigate escalating simulated incidents that mirror real-world hybrid contingencies. Led collaboratively with the NATO Communications and Information Agency, this iteration emphasized dynamic community contributions, where causal linkages tie exercise outcomes to refined tactics, deviating through experimentation with emerging technologies, the mechanism advancing collective postures against threats featuring protocol separation and obfuscated command channels.
The global military burden attained 2.5 % of gross domestic product in 2024, the highest proportion since the early 1990s, as nations in major conflicts averaged 4.4 % against 1.9 % in peaceful states. The Stockholm International Peace Research Institute computes this indicator from harmonized metrics, where the elevation reflects doctrinal shifts favoring asymmetric domains, the mechanism sustaining investments in persistent espionage tools, implying distorted resource distributions that prolong instability in dyads reliant on sub-conventional signalling.
NATO‘s annual Cyber Defence Conference in October 2025 convened senior officials to advocate proactive measures and public-private collaboration against evolving threats including infrastructure sabotage. Discussions highlighted unique platforms for imposing costs on malicious actors, originating from shared assessments of daily contestation, deviating via emphasis on decisive responses, the mechanism reinforcing Alliance cohesion, with implications for mitigating risks from campaigns that leverage shared infrastructure across actor boundaries.
Arms-producing companies in the top 100 recorded revenues of $679 billion in 2024, advancing 5.9 % amid demand for modernization in contested environments. The Stockholm International Peace Research Institute aggregates these from adjusted disclosures, where growth concentrates in regions facing hybrid pressures, the mechanism fueling dual-use ecosystems that enable advanced intrusion development, implying challenges for norms governing commercial contributions to state-aligned operations.
NATO Cyber Defence Developments & Global Military Trends 2024-2025
Global Military Expenditure 2024
Total spending: $2718 billion (+9.4% YoY)
NATO contribution: $1506 billion (55% global share)
Military burden: 2.5% of world GDP
Source: Trends in World Military Expenditure, 2024 – SIPRI – April 2025
NATO Cyber Defence Milestones
Integrated Cyber Defence Centre established 2024
Cyber Coalition 2025: 1,300+ participants from 29 Allies + 7 partners
Focus: Multi-domain integration & proactive resilience
Strategic Outlook
Sustained investments enhance collective cyber postures
Exercises refine responses to hybrid threats
Resource growth supports deterrence in contested domains
APPENDIX – Technical Analysis of StreamSpy and Related Tooling
Patchwork operators escalated their technical sophistication in campaigns active from October 2025 through December 2025, deploying the StreamSpy Trojan as a primary payload in targeted intrusions against Pakistani defence and government entities, where the malware’s core innovation resides in its dual-protocol command-and-control framework that strategically segregates lightweight command exchange via persistent WebSocket connections from high-volume file exfiltration conducted exclusively over HTTP channels. This architectural bifurcation, first detailed in coordinated disclosures by QiAnXin Threat Intelligence Center in early 2026, deliberately circumvents network defences prevalent in monitored Pakistani military environments by avoiding the sustained anomalous traffic signatures characteristic of traditional monolithic reverse shells, instead maintaining dormant WebSocket sessions that activate only for command polling and result reporting while reserving HTTP POST multipart submissions for document theft to mimic benign web activity.
Initial access vectors consistently leverage spear-phishing emails distributing ZIP archives hosted on actor-controlled or compromised domains, with observed examples including “OPS-VII-SIR.zip” retrieved from firebasescloudemail[.]com, a domain registered in patterns aligning with historical Patchwork infrastructure. These archives bundle the primary executable “Annexure.exe” — typically version 1.0.0.1 or 1.0.0.2 — alongside legitimate decoy PDF documents themed around Pakistani defence administration, operational circulars, or procurement annexes to reduce suspicion during manual execution. Upon launch, “Annexure.exe” extracts an encrypted JSON configuration blob from its resource section, decrypts it, and initiates comprehensive host reconnaissance encompassing CPU model details, operating system build numbers, username, hostname, installed software inventories, and BIOS UUIDs combined with MAC addresses to forge a unique victim identifier transmitted in the initial beacon for operator triage.
StreamSpy’s command repertoire, executed upon WebSocket instruction receipt, encompasses a broad spectrum of post-exploitation functions tailored for prolonged espionage in defence networks:
- Arbitrary shell invocation through both cmd.exe and PowerShell interpreters with full output capture and error redirection
- Comprehensive filesystem traversal and enumeration, including hidden directories, network shares, and removable media to locate classified documents
- Granular file operations supporting upload/download with partial resume capability, renaming, deletion, and metadata extraction
- Dynamic deployment of secondary encrypted ZIP archives downloaded from the C2, decrypted via hardcoded AES keys (with routines that systematically discard initial junk bytes to align plaintext), unpacked in memory, and automatically executed without disk persistence
- Auxiliary reconnaissance modules in select variants for screenshot acquisition at operator-defined intervals and clipboard content monitoring to capture copied sensitive data
One particularly insidious command observed in samples targeting Pakistani military systems triggers retrieval of password-protected ZIP containers from the C2, applies AES decryption after skipping the first byte of the ciphertext stream, extracts embedded binaries directly into memory, and executes them — a technique documented delivering specialised credential-harvesting modules focused on cached domain logons and browser-stored defence portal credentials.
Code-level overlaps conclusively link StreamSpy to the Spyder downloader lineage, a tool evolved from the WarHawk backdoor family originally associated with SideWinder operations but integrated into Patchwork arsenals since 2023. Shared implementation details include identical resource-section storage of encrypted configuration as HTML-formatted blobs, congruent dynamic API resolution sequences relying on LoadLibrary and GetProcAddress chains to delay import table population, and precisely matching AES decryption functions that prepend junk data and discard the leading byte before processing. Spyder variants co-located on the same download servers as StreamSpy exhibit augmented modules for targeted exfiltration of browser password vaults, document metadata, and installed application lists, expanding the overall intelligence collection footprint beyond StreamSpy’s baseline capabilities.
The flagship StreamSpy binary “Annexure.exe” (MD5 example: f78fd7e4d92743ef6026de98291e8dee) incorporates a valid digital certificate whose chain correlates directly with signatures observed on ShadowAgent samples attributed to the DoNot group (also tracked as Brainworm or APT-C-35). This certificate linkage, initially flagged by QiAnXin researchers and independently corroborated by 360 Threat Intelligence Center in November 2025 through analysis of the identical executable, combines with overlapping PHP-based C2 endpoints, domain registration patterns favouring misspelled legitimate services, and shared evasion routines to substantiate active resource exchange or operational collaboration among India-aligned South Asian APT clusters.
Persistence mechanisms demonstrate adaptive redundancy calibrated to endpoint detection and response (EDR) presence: primary reliance on registry Run keys for user-level execution, complemented by Scheduled Tasks registered under randomised names mimicking legitimate Windows maintenance processes (e.g., variations of “WindowsUpdateCheck” or “SystemMaintenanceTask”), and fallback LNK shortcuts deposited in the Startup folder. The malware probes for common EDR agents during initialisation and dynamically selects the least-monitored persistence vector, a behavioural sophistication that extends average dwell times in compromised defence workstations.
Concurrent delivery chains observed in 2025 campaigns integrate living-off-the-land binaries to bypass application control policies, embedding MSBuild project files within phishing-distributed ZIP archives that invoke the legitimate msbuild.exe binary to load Python-based droppers compiled with custom-modified PyInstaller runtimes. These droppers employ marshalled bytecode payloads, altered executable headers to defeat signature matching, and runtime environment manipulation to suppress standard Python telemetry before retrieving and executing StreamSpy or Spyder stages from randomised PHP endpoints incorporating geofencing checks that terminate connections originating outside targeted South Asian IP ranges.
Post-execution, the implant displays decoy documents recovered from analysed lures, including genuine Pakistani defence advisories or administrative memoranda, to maintain operational cover during the critical initial interaction window. C2 infrastructure resolves predominantly to commercial cloud providers and VPS ranges historically tied to Patchwork operations, with WebSocket endpoints embedding the string “stream” in URI paths and HTTP handlers blending file transfers within standard form submissions.
The emergence of StreamSpy represents a deliberate evolutionary step in Patchwork tooling, prioritising evasion of traffic-based detection prevalent in Pakistani government and military networks through protocol separation, adaptive persistence, and staged payload delivery. Its integration of borrowed components from SideWinder-derived Spyder and DoNot-associated ShadowAgent underscores maturing resource-sharing dynamics among regional actors, enabling rapid capability enhancement without independent development overhead.
No publicly accessible primary document from permitted governmental or intergovernmental domains provides independent technical corroboration of StreamSpy artefacts or its specific deployment against Pakistani targets as of 4 January 2026. All detailed behavioural descriptions derive from coordinated private-sector analyses published by QiAnXin Threat Intelligence Center and secondary reporting aggregating those findings.
Global and Regional Defence Expenditure Trends (2024 Data)
| Concept | Key Data Point | Value | Change/Trend | Source Citation |
|---|---|---|---|---|
| World Military Expenditure | Total global spending | $2718 billion | +9.4 % year-on-year; +37 % over 2015–2024 decade | Trends in World Military Expenditure, 2024 – SIPRI – April 2025 |
| World Military Expenditure | Global military burden (% of GDP) | 2.5 % | Highest since early 1990s | Trends in World Military Expenditure, 2024 – SIPRI – April 2025 |
| NATO Expenditure | NATO members total | $1506 billion | 55 % of global total | Trends in World Military Expenditure, 2024 – SIPRI – April 2025 |
| Arms Industry Revenues | Top 100 arms-producing companies | $679 billion | +5.9 % from previous year; +26 % over 2015–2024 | SIPRI Top 100 Arms-producing and Military Services Companies, 2024 (referenced in fact sheets) |
| Arms Transfers | Global transfers (2020–2024 vs 2015–2019) | Stable overall | -0.6 % marginal decline | Trends in International Arms Transfers, 2024 – SIPRI – March 2025 |
| Arms Transfers | European imports increase | +155 % | Driven by conflict-related demand | Trends in International Arms Transfers, 2024 – SIPRI – March 2025 |
NATO Cyber Defence Developments and Exercises
| Concept | Key Element | Details | Participants/Scale | Source Citation |
|---|---|---|---|---|
| Cyber Defence Exercise | Cyber Coalition 2025 | Flagship exercise testing responses to complex threats, including critical infrastructure and multi-domain scenarios | Over 1,300 participants from 29 Allies and 7 partners; held 28 November–4 December 2025 | NATO official reporting on Cyber Coalition 2025 |
| Cyber Defence Infrastructure | NATO Integrated Cyber Defence Centre | Established post-2024 Washington Summit; enhances network protection, situational awareness, and cyberspace as operational domain | Located at SHAPE; integrates civilian, military, and industry expertise | NATO decisions from 2024 Summit |
| Cyber Defence Policy | Cyberspace Operationalization | Treated as full domain across peacetime, crisis, and conflict | Includes proactive measures and private-public collaboration | NATO Cyber Defence Policy updates |
Cyber Threat Landscape and Incidents (Broader Context)
| Concept | Key Incident/Trend | Details | Impact/Scale | Source Citation |
|---|---|---|---|---|
| Cyber Incidents Timeline | General significant incidents | Focus on state actions, espionage, and high-loss attacks since 2006 | Ongoing updates including 2024–2025 events (e.g., Chinese attacks on Taiwan doubled to 2.4 million daily in 2024) | CSIS Significant Cyber Incidents timeline |
| Regional Cyber Threats | Attacks on specific sectors | Examples include surges in Chinese-linked operations and North Korean cryptocurrency thefts | Record years for financially motivated attacks in 2024 | CSIS reporting on cyber incidents |
Patchwork APT-Specific Technical Details (Late 2025 Campaigns)
| Concept | Technical Element | Details/Examples | Evasion/Impact Mechanism |
|---|---|---|---|
| Command-and-Control Architecture | Dual-channel design | WebSocket for commands/lightweight exfiltration; HTTP for bulk file transfers | Reduces detection in monitored networks by avoiding sustained reverse-shell patterns |
| Initial Access | Spear-phishing delivery | ZIP archives (e.g., “OPS-VII-SIR.zip”) hosted on domains like firebasescloudemail[.]com; contains “Annexure.exe” | Decoy documents mimic Pakistani defence themes (operational circulars, procurement annexes) |
| Host Reconnaissance | Beacon generation | Collects BIOS UUID, MAC addresses, OS build, security products | Creates unique victim ID for operator triage of high-value targets |
| Command Repertoire | Core capabilities | Shell execution (cmd/PowerShell); filesystem enumeration; file operations; encrypted ZIP deployment (AES with junk-byte skipping); screenshot/clipboard in variants | Staged delivery of credential harvesters observed in military targets |
| Code Overlaps | Spyder integration | Identical config storage (HTML blobs in resources); dynamic API resolution; AES decryption with junk-byte discard | Borrowed from SideWinder/WarHawk family since 2023; enhanced browser password extraction |
| Digital Signature Linkage | DoNot/ShadowAgent overlap | “Annexure.exe” signed with certificate matching APT-C-35 samples | Indicates resource sharing among India-aligned clusters |
| Persistence Mechanisms | Multi-layered redundancy | Registry Run keys; Scheduled Tasks (randomised names e.g., “WindowsUpdateCheck”); Startup LNK files | Adapts based on detected EDR presence |
| Living-off-the-Land Delivery | MSBuild exploitation | ZIPs with MSBuild projects invoking msbuild.exe to load modified PyInstaller Python droppers | Marshalled bytecode and altered headers evade static detection |
