The Patchwork group has updated its arsenal, launching attacks
for the first time using Brute Ratel…
By Knownsec 404 team
Published: 2024-07-18 · Archived: 2026-04-05 14:36:52 UTC
The Patchwork group has updated its arsenal, launching attacks for the first time
using Brute Ratel C4 and an enhanced version of PGoShell
Author：K&XWS@Knownsec 404 Team
Chinese version: https://paper.seebug.org/3199/
1 Overview
Recently, Knownsec 404 Advanced Threat Intelligence Team has detected a suspected attack by the Patchwork
group targeting Bhutan. This sample not only loads the repeatedly discovered Go language backdoor (referred to
as “PGoShell”) but also significantly enhances its functionality. Additionally, for the first time, the sample uses the
red team tool Brute Ratel C4, marking a notable recent update to their arsenal. Over the past two years, the
Patchwork group has demonstrated greater enthusiasm for technological advancements compared to other similar
groups, continually updating its arsenal and loading methods. To date, over 10 different types of trojans and
loading methods used by the group have been identified. The following is an analysis and description of this
recent discovery.
2 Background of the organization
Patchwork (also known as Dropping Elephant) is a highly active advanced persistent threat (APT) group that has
been operating since 2014. Patchwork primarily targets government, defense, and diplomatic organizations, as
well as universities and research institutions in East Asia and South Asia.
3 Chains of attack
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 1 of 14

4 Synthesis of samples
The sample captured this time is a Lnk file, primarily designed to download decoy files and subsequent payloads.
Analysis of the payload revealed that this attack employed weapons including PGoShell and the red team
framework Brute Ratel C4. Details are as follows.
4.1 Lnk Analysis Description
The name of lnk file is Large_Innovation_Project_for_Bhutan.pdf.lnk , When users do not display file extensions,
it is highly likely that they might mistake executable files for PDF documents. Additionally, when executing a .lnk
file, any script parameters contained within the .lnk file will also execute.
Press enter or click to view image in full size
lnk parameters
The parameter contains the following operations:
1.Operation 1:
Access and download the file from uri (hxxps://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf) to the local directory
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 2 of 14

C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf . This file is a decoy document. After the
download is complete, execute the file.
Press enter or click to view image in full size
Screenshot of part of the decoy document
The decoy document contains a project proposal for Bhutan by the Adaptation Fund Board, suspected to be
targeting organizations and individuals associated with Bhutan.
2.Operation 2:
Access and download the data from uri (hxxps://beijingtv.org/wpytd52vDw/brtd2389aw) to the local directory
C:\Users\Public\hal , and rename it to C:\Users\Public\edputil.dll . Note that the domain name appears
to be impersonating Beijing TV station.
3.Operation 3:
Access and download the data from uri (hxxps://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e) to the local directory
C:\Users\Public\sam , and rename it to C:\Users\Public\Winver.exe .
4.Operation 4:
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 3 of 14

Copy resmon.exe from the system directory to C:\Users\Public\resmon.exe, create a scheduled task named
“MicroUpdate” that runs every minute, with the target set to C:\Users\Public\resmon.exe. Create another
scheduled task named “MicroUppdate” that also runs every minute, with the target set to
C:\Users\Public\Winver.exe. Eventually, delete the LNK file.
4.2 Analysis of Brute Ratel C4 (edputil.dll)
4.2.1 Brute Ratel C4 loader analysis description
resmon.exe is a system file , After it runs, edputil.dll will load. Following Windows’ default loading behavior,
edputil.dll located in the same directory as resmon.exe will be loaded. Additionally, edputil.dll is packed using
Themida:
Press enter or click to view image in full size
.themida section within the segment of edputil.dll
Eventually, resmon.exe loads the exported function EdpGetIsManaged from edputil.dll.
Press enter or click to view image in full size
The export table of edputil.dll
The main function exported by EdpGetIsManaged is to serve as the Brute Ratel C4 loader. Attackers first utilize a
custom hash algorithm to obtain api addresses:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 4 of 14

Using hash to obtain api addresses
To achieve objectives of unhooking and anti-debugging, attackers will obtain the system call number
corresponding to the function, then locate the address of the “syscall” instruction. For example, in the case of the
NtProtectVirtualMemory function, the system call number is “0x50”:
Press enter or click to view image in full size
Obtain the syscall number and the address of the “syscall”
Subsequently, if there’s a need to call NtProtectVirtualMemory, you simply pass the system call number (0x50)
into EAX , and then invoke the address of the “syscall” instruction to execute the function. By using this calling
method, traditional breakpoint mechanisms become ineffective:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 5 of 14

Syscall invocation code snippet
Write shellcode into allocated memory, change the protection of the newly allocated memory, and create a thread
using NtCreateThreadEx to execute it:
Press enter or click to view image in full size
Execution of shellcode
The primary function of the shellcode is to load the final payload (Brute Ratel C4). It begins by performing
debugger detection, then compares the value of NtGlobalFlag in the Process Environment Block (PEB). If the
value is 0x70, it will terminate execution:
Press enter or click to view image in full size
Debugger detection
Obtain the addresses of APIs needed for subsequent use:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 6 of 14

Obtain api address
Next, perform a system time check. if the current system time exceeds the hardcoded timestamp (0x66c0666d),
terminate execution:
Press enter or click to view image in full size
Runtime detection
Decrypt the filename (chakra.dll) using the RC4 algorithm, which serves as the carrier for Brute Ratel C4:
Press enter or click to view image in full size
Decrypt data
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 7 of 14

After loading chakra.dll, the final payload Brute Ratel C4, with the “MZ” header removed, is written into the
address space of chakra.dll. Subsequently, it simulates the loading of Brute Ratel C4:
Press enter or click to view image in full size
Brute Ratel C4 without the “MZ” header
Press enter or click to view image in full size
Write data into the memory space of chakra.dll
Obtain the Original Entry Point (OEP) and perform a jump to execute it, ultimately running the Brute Ratel C4
payload:
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 8 of 14

Jump to the OEP to execute
4.2.2 Brief description of Brute Ratel C4
Brute Ratel C4 is a red team framework seen as an alternative to Cobalt Strike. This framework enables
functionalities such as file management, port scanning, file upload and download, screen capture, etc. Below is a
screenshot of the configuration for this payload, with configurations separated by “|”.
Screenshot of Brute Ratel C4 configuration
4.3 Analysis of PGoShell (Winver.exe)
PGoShell is developed in the Go programming language, overall, it offers a rich set of functionalities, including
remote shell capabilities, screen capture, and downloading and executing payloads.It was initially named for its
primary feature of remote shell capability. Below are detailed reverse engineering analysis findings related to it:
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 9 of 14

Get Knownsec 404 team’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Initialize URI, RC4 key, User-Agent. In this sample, the RC4 key is “0g8RXt137ODBeqPhTv2XYjgmnxUsijfc”.
Press enter or click to view image in full size
Initialize URI、 RC4 key
Detect if HKCU\Software\Microsoft\WinTemp exists, if it does, retrieve the value corresponding to the temp key.
If it does not exist, generate a random string, encrypt it using RC4 followed by base64 encoding, and write this
encrypted value. This value will serve as the ID to be uploaded to the server.
Press enter or click to view image in full size
Upon entering the information collection and interaction module, PGoShell first attempts to gather host
information including hostname, username, current public IP address of the host, country information based on IP
(obtained from querying ip-api.com), current system version, current execution path, process PID, and
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 10 of 14

PROCESSOR_ARCHITECTURE information. Once collected successfully, it concatenates this data, separating
each piece of information with “||”.
Press enter or click to view image in full size
Fetch host information and concatenate them
All data obtained by PGoShell is encoded using RC4 followed by base64 encoding.(main_AESENC function in
the screenshot is designed to confuse analysts; internally, it actually uses RC4 followed by base64 encoding):
Press enter or click to view image in full size
The RC4 key and its decrypted data
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 11 of 14

Subsequently, the concatenated data is sent to the server, and data is retrieved from the server using the POST
method for both online information and interaction uploads.
Some of the PGoShell functions are listed in the table below:
Press enter or click to view image in full size
5 Summary
The captured attack activity primarily used a proposal from the Adaptation Fund Board regarding a project in
Bhutan as bait, targeting entities suspected to be related to Bhutan. In this attack campaign, Patchwork
organization was observed using Brute Ratel C4 as their weapon for the first time.The entire loading and
execution process of Brute Ratel C4 involves pure in-memory loading, effectively evading detection by endpoint
security measures. Throughout the loading process, it repeatedly engages in anti-debugging and unhooking
operations, and enforces execution cycle restrictions. This indicates that the organization is actively expanding its
arsenal. According to online sources, the author of Brute Ratel C4 is reportedly from India.
Press enter or click to view image in full size
Press enter or click to view image in full size
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 12 of 14

Currently, the price of this tool is $3000 USD, and Patchwork organization may potentially receive a discount
when purchasing it.
Press enter or click to view image in full size
Furthermore, we have observed significant expansion in the functionality of PGoShell used in this instance,
making it more advanced compared to previously discovered attack samples. As a homegrown backdoor tool of
this organization, PGoShell has undergone extensive feature updates, underscoring its critical importance to the
Patchwork organization.We have reason to believe that PGoShell has helped Patchwork achieve significant
success in past attack campaigns. In the future, the organization may increasingly utilize this tool to launch further
attacks.
6 IOC
C2：
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 13 of 14

Beijingtv[.]org
Cartmizer[.]info
longwang.b-cdn[.]net
7 Reference
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
Source: https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brut
e-ratel-175741987d87
https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87
Page 14 of 14