{
	"id": "fcbe3608-0f31-4ce6-8c20-b01c47a4520e",
	"created_at": "2026-04-06T00:17:05.602592Z",
	"updated_at": "2026-04-10T13:12:12.372749Z",
	"deleted_at": null,
	"sha1_hash": "278673a18cf0b2916627fdb0a7891421998a0490",
	"title": "Patchwork APT caught in its own web",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1377995,
	"plain_text": "Patchwork APT caught in its own web\r\nPublished: 2022-01-07 · Archived: 2026-04-02 12:00:58 UTC\r\nThreat Intelligence Team\r\nJanuary 7, 2022\r\nThreat Intelligence Team\r\nPatchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via\r\nspear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has\r\nused malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).\r\nWhat is interesting among victims of this latest campaign, is that the actor has for the first time targeted several\r\nfaculty members whose research focus is on molecular medicine and biological science.\r\nInstead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the\r\ninformation we gathered was possible thanks to the threat actor infecting themselves with their own RAT,\r\nresulting in captured keystrokes and screenshots of their own computer and virtual machines.\r\nRagnatela\r\nWe identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via\r\nspear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the\r\nproject name and panel used by Patchwork APT.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 1 of 8\n\nRagnatela RAT was built sometime in late November as seen in its Program Database (PDB)\r\npath “E:new_opsjlitest __change_ops -29no – CopyReleasejlitest.pdb”. It features the following capabilities:\r\nArticle continues below this ad.\r\nExecuting commands via cmd\r\nCapturing screenshots\r\nLogging Keystrokes\r\nCollecting list of all the files in victim’s machine\r\nCollecting list of the running applications in the victim’s machine at a specific time periods\r\nDowning addition payloads\r\nUploading files\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 2 of 8\n\nIn order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani\r\nauthorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at\r\nkarachidha[.]org/docs/.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 3 of 8\n\nThat file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and\r\nexecute the final payload (RAT).\r\nThat payload is stored within the RTF document as an OLE object. We can deduce the file was created on\r\nDecember 9 2021 based on the source path information.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 4 of 8\n\nRagnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to\r\nlaunching this campaign (in late November), the threat actor tested that their server was up and running properly.\r\nThe RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with\r\nMicroScMgmt.exe used to side-load it.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 5 of 8\n\nAlso in late November, we can see the threat actor testing the side-loading in a typical victim machine.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 6 of 8\n\nVictims and victim\r\nWe were able to gain visibility on the victims that were successfully compromised:\r\nMinistry of Defense- Government of Pakistan\r\nNational Defense University of Islam Abad\r\nFaculty of Bio-Science, UVAS University, Lahore, Pakistan\r\nInternational center for chemical and biological sciences\r\nHEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of\r\nKarachi\r\nSHU University, Molecular medicine\r\nAnother – unintentional – victim is the threat actor himself which appears to have infected is own development\r\nmachine with the RAT. We can see them running both VirtualBox and VMware to do web development and\r\ntesting. Their main host has dual keyboard layouts (English and Indian).\r\nOther information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they\r\nhaven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask\r\ntheir IP address.\r\nUnder the VPN they log into their victim’s email and other accounts stolen by the RAT.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 7 of 8\n\nConclusion\r\nThis blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same\r\nlures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed\r\nPatchwork targeting molecular medicine and biological science researchers.\r\nThanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who\r\nsits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and\r\ncheck on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and\r\nNorth Korean counterparts.\r\nIndicators of Compromise\r\nLure\r\nkarachidha[.]org/docs/EOIForm.rtf\r\n5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6\r\nRAT\r\njli.dll\r\n3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3\r\nC2\r\nbgre[.]kozow[.]com\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/"
	],
	"report_names": [
		"patchwork-apt-caught-in-its-own-web"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434625,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/278673a18cf0b2916627fdb0a7891421998a0490.pdf",
		"text": "https://archive.orkl.eu/278673a18cf0b2916627fdb0a7891421998a0490.txt",
		"img": "https://archive.orkl.eu/278673a18cf0b2916627fdb0a7891421998a0490.jpg"
	}
}