The code used by this threat actor is copy-pasted from various online forums. In active victim systems, Patchwork immediately searches for and uploads documents to their C&C, and only if the target is deemed valuable enough, proceeds to install a more advanced second stage malware.
It is impossible to reach clear attribution from the information available. Cymmetria included an attribution section in this document to document their research efforts in this regard.
It is the first targeted threat Cymmetria captured using a commercial deception product. According to their report, they were able to catch the threat actor’s second stage toolset, as well as lateral movement activity.
The full report can be found here: https://cymmetria.com/patchwork-targeted-attack/
All of the IOCs for this report can be found in Cymmetria's GitHub repository. The IOCs are provided in CSV and STIX formats: