{ "id": "1faa81af-19c4-4a66-a00a-6b6e79491c98", "created_at": "2026-04-06T00:13:24.534784Z", "updated_at": "2026-04-10T03:33:54.650382Z", "deleted_at": null, "sha1_hash": "0a8c5c56a12a5c817a70a6575f07f20f407aa335", "title": "The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel…", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4407512, "plain_text": "The Patchwork group has updated its arsenal, launching attacks\r\nfor the first time using Brute Ratel…\r\nBy Knownsec 404 team\r\nPublished: 2024-07-18 · Archived: 2026-04-05 14:36:52 UTC\r\nThe Patchwork group has updated its arsenal, launching attacks for the first time\r\nusing Brute Ratel C4 and an enhanced version of PGoShell\r\nAuthor:K\u0026XWS@Knownsec 404 Team\r\nChinese version: https://paper.seebug.org/3199/\r\n1 Overview\r\nRecently, Knownsec 404 Advanced Threat Intelligence Team has detected a suspected attack by the Patchwork\r\ngroup targeting Bhutan. This sample not only loads the repeatedly discovered Go language backdoor (referred to\r\nas “PGoShell”) but also significantly enhances its functionality. Additionally, for the first time, the sample uses the\r\nred team tool Brute Ratel C4, marking a notable recent update to their arsenal. Over the past two years, the\r\nPatchwork group has demonstrated greater enthusiasm for technological advancements compared to other similar\r\ngroups, continually updating its arsenal and loading methods. To date, over 10 different types of trojans and\r\nloading methods used by the group have been identified. The following is an analysis and description of this\r\nrecent discovery.\r\n2 Background of the organization\r\nPatchwork (also known as Dropping Elephant) is a highly active advanced persistent threat (APT) group that has\r\nbeen operating since 2014. Patchwork primarily targets government, defense, and diplomatic organizations, as\r\nwell as universities and research institutions in East Asia and South Asia.\r\n3 Chains of attack\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 1 of 14\n\n4 Synthesis of samples\r\nThe sample captured this time is a Lnk file, primarily designed to download decoy files and subsequent payloads.\r\nAnalysis of the payload revealed that this attack employed weapons including PGoShell and the red team\r\nframework Brute Ratel C4. Details are as follows.\r\n4.1 Lnk Analysis Description\r\nThe name of lnk file is Large_Innovation_Project_for_Bhutan.pdf.lnk , When users do not display file extensions,\r\nit is highly likely that they might mistake executable files for PDF documents. Additionally, when executing a .lnk\r\nfile, any script parameters contained within the .lnk file will also execute.\r\nPress enter or click to view image in full size\r\nlnk parameters\r\nThe parameter contains the following operations:\r\n1.Operation 1:\r\nAccess and download the file from uri (hxxps://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf) to the local directory\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 2 of 14\n\nC:\\Users\\Public\\Large_Innovation_Project_for_Bhutan.pdf . This file is a decoy document. After the\r\ndownload is complete, execute the file.\r\nPress enter or click to view image in full size\r\nScreenshot of part of the decoy document\r\nThe decoy document contains a project proposal for Bhutan by the Adaptation Fund Board, suspected to be\r\ntargeting organizations and individuals associated with Bhutan.\r\n2.Operation 2:\r\nAccess and download the data from uri (hxxps://beijingtv.org/wpytd52vDw/brtd2389aw) to the local directory\r\nC:\\Users\\Public\\hal , and rename it to C:\\Users\\Public\\edputil.dll . Note that the domain name appears\r\nto be impersonating Beijing TV station.\r\n3.Operation 3:\r\nAccess and download the data from uri (hxxps://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e) to the local directory\r\nC:\\Users\\Public\\sam , and rename it to C:\\Users\\Public\\Winver.exe .\r\n4.Operation 4:\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 3 of 14\n\nCopy resmon.exe from the system directory to C:\\Users\\Public\\resmon.exe, create a scheduled task named\r\n“MicroUpdate” that runs every minute, with the target set to C:\\Users\\Public\\resmon.exe. Create another\r\nscheduled task named “MicroUppdate” that also runs every minute, with the target set to\r\nC:\\Users\\Public\\Winver.exe. Eventually, delete the LNK file.\r\n4.2 Analysis of Brute Ratel C4 (edputil.dll)\r\n4.2.1 Brute Ratel C4 loader analysis description\r\nresmon.exe is a system file , After it runs, edputil.dll will load. Following Windows’ default loading behavior,\r\nedputil.dll located in the same directory as resmon.exe will be loaded. Additionally, edputil.dll is packed using\r\nThemida:\r\nPress enter or click to view image in full size\r\n.themida section within the segment of edputil.dll\r\nEventually, resmon.exe loads the exported function EdpGetIsManaged from edputil.dll.\r\nPress enter or click to view image in full size\r\nThe export table of edputil.dll\r\nThe main function exported by EdpGetIsManaged is to serve as the Brute Ratel C4 loader. Attackers first utilize a\r\ncustom hash algorithm to obtain api addresses:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 4 of 14\n\nUsing hash to obtain api addresses\r\nTo achieve objectives of unhooking and anti-debugging, attackers will obtain the system call number\r\ncorresponding to the function, then locate the address of the “syscall” instruction. For example, in the case of the\r\nNtProtectVirtualMemory function, the system call number is “0x50”:\r\nPress enter or click to view image in full size\r\nObtain the syscall number and the address of the “syscall”\r\nSubsequently, if there’s a need to call NtProtectVirtualMemory, you simply pass the system call number (0x50)\r\ninto EAX , and then invoke the address of the “syscall” instruction to execute the function. By using this calling\r\nmethod, traditional breakpoint mechanisms become ineffective:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 5 of 14\n\nSyscall invocation code snippet\r\nWrite shellcode into allocated memory, change the protection of the newly allocated memory, and create a thread\r\nusing NtCreateThreadEx to execute it:\r\nPress enter or click to view image in full size\r\nExecution of shellcode\r\nThe primary function of the shellcode is to load the final payload (Brute Ratel C4). It begins by performing\r\ndebugger detection, then compares the value of NtGlobalFlag in the Process Environment Block (PEB). If the\r\nvalue is 0x70, it will terminate execution:\r\nPress enter or click to view image in full size\r\nDebugger detection\r\nObtain the addresses of APIs needed for subsequent use:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 6 of 14\n\nObtain api address\r\nNext, perform a system time check. if the current system time exceeds the hardcoded timestamp (0x66c0666d),\r\nterminate execution:\r\nPress enter or click to view image in full size\r\nRuntime detection\r\nDecrypt the filename (chakra.dll) using the RC4 algorithm, which serves as the carrier for Brute Ratel C4:\r\nPress enter or click to view image in full size\r\nDecrypt data\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 7 of 14\n\nAfter loading chakra.dll, the final payload Brute Ratel C4, with the “MZ” header removed, is written into the\r\naddress space of chakra.dll. Subsequently, it simulates the loading of Brute Ratel C4:\r\nPress enter or click to view image in full size\r\nBrute Ratel C4 without the “MZ” header\r\nPress enter or click to view image in full size\r\nWrite data into the memory space of chakra.dll\r\nObtain the Original Entry Point (OEP) and perform a jump to execute it, ultimately running the Brute Ratel C4\r\npayload:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 8 of 14\n\nJump to the OEP to execute\r\n4.2.2 Brief description of Brute Ratel C4\r\nBrute Ratel C4 is a red team framework seen as an alternative to Cobalt Strike. This framework enables\r\nfunctionalities such as file management, port scanning, file upload and download, screen capture, etc. Below is a\r\nscreenshot of the configuration for this payload, with configurations separated by “|”.\r\nScreenshot of Brute Ratel C4 configuration\r\n4.3 Analysis of PGoShell (Winver.exe)\r\nPGoShell is developed in the Go programming language, overall, it offers a rich set of functionalities, including\r\nremote shell capabilities, screen capture, and downloading and executing payloads.It was initially named for its\r\nprimary feature of remote shell capability. Below are detailed reverse engineering analysis findings related to it:\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 9 of 14\n\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nInitialize URI, RC4 key, User-Agent. In this sample, the RC4 key is “0g8RXt137ODBeqPhTv2XYjgmnxUsijfc”.\r\nPress enter or click to view image in full size\r\nInitialize URI、 RC4 key\r\nDetect if HKCU\\Software\\Microsoft\\WinTemp exists, if it does, retrieve the value corresponding to the temp key.\r\nIf it does not exist, generate a random string, encrypt it using RC4 followed by base64 encoding, and write this\r\nencrypted value. This value will serve as the ID to be uploaded to the server.\r\nPress enter or click to view image in full size\r\nUpon entering the information collection and interaction module, PGoShell first attempts to gather host\r\ninformation including hostname, username, current public IP address of the host, country information based on IP\r\n(obtained from querying ip-api.com), current system version, current execution path, process PID, and\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 10 of 14\n\nPROCESSOR_ARCHITECTURE information. Once collected successfully, it concatenates this data, separating\r\neach piece of information with “||”.\r\nPress enter or click to view image in full size\r\nFetch host information and concatenate them\r\nAll data obtained by PGoShell is encoded using RC4 followed by base64 encoding.(main_AESENC function in\r\nthe screenshot is designed to confuse analysts; internally, it actually uses RC4 followed by base64 encoding):\r\nPress enter or click to view image in full size\r\nThe RC4 key and its decrypted data\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 11 of 14\n\nSubsequently, the concatenated data is sent to the server, and data is retrieved from the server using the POST\r\nmethod for both online information and interaction uploads.\r\nSome of the PGoShell functions are listed in the table below:\r\nPress enter or click to view image in full size\r\n5 Summary\r\nThe captured attack activity primarily used a proposal from the Adaptation Fund Board regarding a project in\r\nBhutan as bait, targeting entities suspected to be related to Bhutan. In this attack campaign, Patchwork\r\norganization was observed using Brute Ratel C4 as their weapon for the first time.The entire loading and\r\nexecution process of Brute Ratel C4 involves pure in-memory loading, effectively evading detection by endpoint\r\nsecurity measures. Throughout the loading process, it repeatedly engages in anti-debugging and unhooking\r\noperations, and enforces execution cycle restrictions. This indicates that the organization is actively expanding its\r\narsenal. According to online sources, the author of Brute Ratel C4 is reportedly from India.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 12 of 14\n\nCurrently, the price of this tool is $3000 USD, and Patchwork organization may potentially receive a discount\r\nwhen purchasing it.\r\nPress enter or click to view image in full size\r\nFurthermore, we have observed significant expansion in the functionality of PGoShell used in this instance,\r\nmaking it more advanced compared to previously discovered attack samples. As a homegrown backdoor tool of\r\nthis organization, PGoShell has undergone extensive feature updates, underscoring its critical importance to the\r\nPatchwork organization.We have reason to believe that PGoShell has helped Patchwork achieve significant\r\nsuccess in past attack campaigns. In the future, the organization may increasingly utilize this tool to launch further\r\nattacks.\r\n6 IOC\r\nC2:\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 13 of 14\n\nBeijingtv[.]org\r\nCartmizer[.]info\r\nlongwang.b-cdn[.]net\r\n7 Reference\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nSource: https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brut\r\ne-ratel-175741987d87\r\nhttps://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87" ], "report_names": [ "the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434404, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a8c5c56a12a5c817a70a6575f07f20f407aa335.pdf", "text": "https://archive.orkl.eu/0a8c5c56a12a5c817a70a6575f07f20f407aa335.txt", "img": "https://archive.orkl.eu/0a8c5c56a12a5c817a70a6575f07f20f407aa335.jpg" } }