StreamSpy
StreamSpy is a trojan/backdoor associated with the Indian-origin threat actor Patchwork, also tracked as Dropping Elephant and APT-Q-36, and described in reporting as used in espionage operations, including targeting Pakistan's defense sector. It has been reported as a previously undocumented malware family as of December 2025. StreamSpy uses WebSocket and HTTP for command-and-control communications, with reporting specifically noting that C2 commands were concealed within WebSocket traffic for stealth. Reported delivery includes ZIP archives hosted on firebasescloudemail[.]com. Its documented capabilities include harvesting system information, establishing persistence, executing commands, downloading files, uploading files, enumerating the file system, manipulating files, and executing both cmd and PowerShell commands. Persistence mechanisms mentioned in the supporting content include Windows Registry, scheduled tasks, or LNK files in the Startup folder. The activity is linked to Patchwork through reporting and malware/tooling similarities noted with Spyder, a variant of WarHawk attributed to SideWinder, and shared digital-signature correlations with ShadowAgent, a RAT attributed to the DoNot Team; QiAnXin also reported resource sharing between Patchwork and DoNot. High-confidence infrastructure detail directly mentioned in the content includes distribution via firebasescloudemail[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Patchwork APT Deploys StreamSpy Trojan, Hiding C2 Commands in WebSocket Traffic for Stealth Espionage
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
StreamSpy is a backdoor used by the Patchwork APT group for cyber-espionage operations.
A Python-based remote access trojan (RAT) used by Patchwork APT, supporting C2 via WebSocket and HTTP, file transfer, system information harvesting, and persistence mechanisms.
Trojan attributed by the source to the 'Maha Grass' organization; uses WebSocket (with a 'stream' string in the interface) for interactive command/results and HTTP for file transfer; noted similarities to Spyder.
A trojan reportedly used for stealth espionage, with C2 commands hidden in WebSocket traffic.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.