A group of Indian cyberspies has apparently been infected by their own custom remote access trojan (RAT), exposing their operations to security researchers.

It’s said that the threat actor has been online since December 2015 or earlier and is being tracked as PatchWork because of a copy-pasted code.

During the PatchWork campaign that happened around November to December 2021, Malwarebytes Labs noticed that the threat actors are using sketchy RTG documents that are dressing to be Pakistani authorities to hit targets with a variant called BADNEWS RAT known as Ragnatela.

RAGNATELA will allow culprits to execute commands, record keystrokes, take screenshots, steal sensitive files, upload files, see list of running apps, and deploy other payloads.


Malwarebytes Labs said that they were able to expose the culprits because they got infected by their own RAT, letting the security researchers gather screenshots and keystrokes of the culprits.

When the researchers found out that the people behind PatchWork were infected by the RAT, they monitored the operators using VirtualBox and VMware.

With this, the researchers were able to gather the victims of the group, which included the Pakistan Ministry of Defense, molecular medicine and biological science departments of different universities, and more.

PatchWorks is said to be behind cyberattacks and spear-phishing campaigns on the US think tanks back in March 2018, and European government organizations in May 2016.


Leave a comment

Your email address will not be published. Required fields are marked *