GBHackers News reports that intrusions involving a Windows Scheduled Task-exploiting PowerShell-based loader have been deployed by the advanced persistent threat operation Patchwork to facilitate final payload delivery as part of its latest campaign.

Patchwork, also known as Monsoon, Dropping Elephant, and Hangover Group, commenced attacks with the distribution of a Microsoft Office document with an illicit macro, which facilitated PowerShell script execution, according to findings from K7 Security Labs.

After downloading a VLC media player-spoofing executable, fetching and sideloading a fake library DLL, and injecting a decoy PDF in the Public Documents folder, such a script establishes a scheduled task triggering the executable before loading the last Patchwork payload.

Further analysis revealed that the malware harnessed Scourgify encoding to pilfer command outputs, as well as run commands that enabled segmentation of large files, allocation of executable memory, and the capturing and uploading of full-screen screenshots.

Organizations were recommended to adopt strong endpoint protections to combat the modular threat of Patchwork.