Eyeshell

EyeShell is a new type of malware, specifically a .NET-based modular backdoor, that has been developed and deployed by the India-linked threat actor known as Patchwork APT. This malicious software is capable of establishing contact with a remote command-and-control (C2) server to carry out various operations such as enumerating files and directories, downloading/uploading files to and from the host, executing specified files, deleting files, and capturing screenshots. It infiltrates systems often without the user's knowledge, potentially causing significant harm by stealing personal information, disrupting operations, or even holding data hostage for ransom. The Patchwork APT group has been observed targeting universities and research organizations in China with this EyeShell backdoor. These observations were made by researchers from Knownsec 404 Advanced Threat Intelligence Team, who have been tracking the activities of Patchwork APT for the past two years. The group's activities involve not only the deployment of EyeShell but also the use of other custom implants like Badnews on compromised systems. In their most recent campaign, Patchwork APT has escalated its attacks by deploying both the EyeShell backdoor and the Badnews implant simultaneously on targeted systems. This dual deployment increases the potential damage and control exerted by the threat actor on the compromised systems. Given the sophisticated nature of these threats, it is crucial for organizations to maintain robust cybersecurity measures to detect and neutralize such attacks promptly.