{ "id": "d1430a32-205f-4da6-a740-a31bd8fbfb02", "created_at": "2026-04-06T00:19:36.793115Z", "updated_at": "2026-04-10T03:33:54.579644Z", "deleted_at": null, "sha1_hash": "823ac975ea7d0a32d2055faeee970041e5d11a6b", "title": "Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1636757, "plain_text": "Patchwork Continues to Deliver BADNEWS to the Indian\r\nSubcontinent\r\nBy Brandon Levene, Josh Grunzweig, Brittany Barbehenn\r\nPublished: 2018-03-07 · Archived: 2026-04-05 21:20:40 UTC\r\nSummary\r\nIn the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and\r\nMonsoon, conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors\r\nutilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their\r\nupdated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard\r\nof this group.\r\nThe malicious documents seen in recent activity refer to a number of topics, including recent military promotions\r\nwithin the Pakistan Army, information related to the Pakistan Atomic Energy Commission, as well as Pakistan’s\r\nMinistry of the Interior.\r\nThe BADNEWS malware payload, which these malicious documents ultimately deliver, has been updated since\r\nthe last public report in December 2017. BADNEWS acts as a backdoor for the attackers, providing them with full\r\ncontrol over the victim machine. It has historically leveraged legitimate third-party websites to host the malware’s\r\ncommand and control (C2) information, acting as “dead drops”. After the C2 information has been collected,\r\nBADNEWS leverages HTTP for communication with the remote servers.\r\nWe’ve observed modifications to how the malware obtains its (C2) server information, as well as modifications to\r\nthe C2 communication. These changes to BADNEWS, as well as the use of recent EPS-based exploits,\r\ndemonstrate that the group are actively updating their toolsets in efforts to stay ahead of the security community.\r\nIn this posting, we detail our findings and document these changes.\r\n  Delivery\r\nThe malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded\r\nEPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities. These vulnerabilities are well\r\ncovered in previous public works, which can be found from PWC and FireEye. Older documents used by\r\nPatchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically,\r\nnewer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability.\r\nThe lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 1 of 11\n\nbe seen in the images below:\r\nFigure 1 Lure extracted from a67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1\r\nFigure 2 Lure extracted from 07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 2 of 11\n\nFigure 3 Lure extracted from b8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571\r\nFigure 4 Lure extracted from d486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2 and\r\nfd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4\r\n \r\nThe payload from each of the malicious documents is an updated version of the BADNEWS malware family.\r\nWhen the shellcode embedded within the malicious EPS is executed, the following three files are dropped:\r\n%PROGRAMDATA%\\Microsoft\\DeviceSync\\VMwareCplLauncher.exe\r\n%PROGRAMDATA%\\Microsoft\\DeviceSync\\vmtools.dll\r\n%PROGRAMDATA%\\Microsoft\\DeviceSync\\MSBuild.exe\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 3 of 11\n\nIn the list of dropped files, VMwareCplLauncher.exe is a legitimate, signed VMware executable that serves to\r\nultimately deliver the BADNEWS payload. The vmtools.dll file is a modified DLL that both ensures persistence\r\nand loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio\r\ntool.\r\nAfter the files are dropped, the VMwareCplLauncher.exe executable is run, which in turn loads the vmtools.dll\r\nDLL file. This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious,\r\nspoofed MSBuild.exe every subsequent minute.\r\nThe technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past.\r\nThe flow of execution from the time the victim opens the malicious Microsoft Word document, to the execution of\r\nBADNEWS, may be seen below:\r\nFigure 5 Side-loading technique employed to deliver BADNEWS\r\n \r\nThe following image demonstrates the scheduled task created by the modified vmtools.dll to ensure BADNEWS\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 4 of 11\n\nruns and remains running on the victim machine.\r\nFigure 6 Scheduled task created to load BADNEWS\r\n \r\nBADNEWS\r\nMuch of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August\r\n2016. Additionally, recent analysis by Trend Micro notes some minor changes during 2017. To briefly recap, the\r\nBADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of\r\ncommands are provided to the attackers, including the ability to download and execute additional information,\r\nupload documents of interest, and take screenshots of the desktop.\r\nThe malware collects C2 information when it is originally executed via “Dead Drop Resolvers”. Dead drop\r\nresolvers have been used by multiple threat actor groups using various malware families and those behind\r\nPatchwork are well versed with this tactic. This tactic uses public web services to host content that contains\r\nencoded commands that are decoded by the malware.\r\nFor the remainder of the analysis in this research blog, we are discussing the following file:\r\nSHA256 290ac98de80154705794e96d0c6d657c948b7dff7abf25ea817585e4c923adb2\r\nMD5 79ad2084b057847ce2ec2e48fda64073\r\nCompile Date 2017-12-22 11:54:03 UTC\r\nOne of the first modifications we witnessed in this new variant of BADNEWS is a new mutex that is created to\r\nensure a single instance of BADNEWS is running at a given moment. This malware family used the new mutex\r\n‘com_mycompany_apps_appname_new’.\r\nThis variant of BADNEWS uses different filenames compared to previous versions. The following filenames are\r\nused by BADNEWS throughout its execution. All of these files reside in the victim’s %TEMP% directory:\r\nFilename Description\r\n9PT568.dat Contains victim unique identifier\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 5 of 11\n\nTPX498.dat Keystroke logs\r\nedg499.dat List of interesting files\r\nTPX499.dat Temporarily holds screenshot when given command by C2\r\nup Temporarily contains downloaded file to be executed when given command by C2\r\n \r\nOther changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop\r\nresolvers. Previous variants of BADNEWS looked for data between ‘{{‘ and ‘}}’, and used a simple cipher to\r\ndecode this data. This new variant now looks for data between ‘[[‘ and ‘]]’ in a number of hardcoded URLs. This\r\ncan be seen in the following images taken from hxxp:// feeds.rapidfeeds[.]com/88604/, which is one of the dead\r\ndrop resolvers we encountered in this sample:\r\nFigure 7 Dead drop resolver used by BADNEWS\r\n \r\nIn order to decrypt this data, the authors have included additional steps from previous versions. To decode this\r\ninformation, BADNEWS takes the following steps:\r\n1. Base64-decode the string\r\n2. Perform the decoding cipher used in previous versions\r\n3. Base64-decode the result\r\n4. Decrypt the result using the Blowfish algorithm and a static key\r\nA script, which is included in the Appendix, will decrypt data from these dead drop resolvers. In the example\r\nshown above, we are presented with a result of 185.203.118[.]115 after all four steps are taken.\r\nBADNEWS performs many of the expected functions associated with previous versions including keylogging and\r\nidentifying files of interest. Unlike a previously reported variant, this version of BADNEWS no longer looks at\r\nUSB drives for interesting files. Instead, it looks at fixed drives only. It continues to seek out files with the\r\nfollowing extensions:\r\n.xls\r\n.xlsx\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 6 of 11\n\n.doc\r\n.docx\r\n.ppt\r\n.pptx\r\n.pdf\r\nIn order to prepare for C2 communication, BADNEWS will aggregate various victim information, which is\r\nappended to two strings. These strings have the following format:\r\n1 uuid=[Victim ID]#un=[Username]#cn=[Hostname]#on=[OS Version]#lan=[IP Address]#nop=#ver=1.0\r\n1 uuid=[Victim ID]#un=[Username]#\r\nAn example of the first string may be seen below:\r\n1\r\nuuid=e29ac6c0-7037-11de-816d-806e6f6e696351c5#un=Josh Grunzweig#cn=WIN-LJLV2NKIOKP#on=mav6miv1#lan=192.168.217.141#nop=#ver=1.0\r\nIt should be noted that the variables used for this string are different from previous versions. For example, in the\r\nprevious variant of BADNEWS, the victim’s unique identifier was stored under a variable named ‘uid’, the\r\nusername was stored in a variable named ‘u’, etc. Additionally, the hardcoded version string of ‘1.0’ is different\r\nfrom previous samples.\r\nC2 communication is also updated from prior versions, with the following commands now supported by\r\nBADNEWS:\r\nCommand Description\r\n0 Kill BADNEWS.\r\n4\r\nUpload edg499.dat, which includes the list of interesting files. Spawn a new instance of\r\nBADNEWS after.\r\n5 Upload the file specified by the C2.\r\n8 Upload the TPX498.dat file, which contains the list of collected keystrokes.\r\n13 Copy file to adbFle.tmp, and upload it to the C2.\r\n23 Take screenshot, temporarily store it as TPX499.dat, and upload it to the C2.\r\n33 Download specified file to %TEMP%\\up and execute it in a new process\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 7 of 11\n\nDuring C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP. The\r\nfollowing hardcoded URI is used for normal communication with the C2 (note the additional forward slashes):\r\n//e3e7e71a0b28b5e96cc492e636722f73//4sVKAOvu3D//ABDYot0NxyG.php\r\nIn the event data is uploaded to the attacker, the following hardcoded URI is used (note the use of backslashes):\r\n\\e3e7e71a0b28b5e96cc492e636722f73\\4sVKAOvu3D\\UYEfgEpXAOE.php\r\n \r\nWhen initial pings are sent to the remote server, BADNEWS includes one of the two previously created strings\r\ncontaining the victim’s information. An example request in a sandboxed environment may be seen below:\r\nFigure 8 Example request made by BADNEWS\r\n \r\nTo decrypt the data provided in the POST request, a number of steps are required. First, the attackers include a\r\nseries of extra ‘=’ and ‘\u0026’ characters within the data stream. Once these are removed, the data is decoded with\r\nbase64. Finally, the result is decrypted using AES-128 and the following static key (hex-encoded):\r\nDD1876848203D9E10ABCEEC07282FF37\r\n \r\nConclusion\r\nThe Patchwork group continues to plague victims located within the Indian subcontinent. Through the use of\r\nrelatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent\r\norganizations and individuals to further their goals. Recent activity has shown a number of lures related to the\r\nPakistan Army, the Pakistan Atomic Energy Commission, as well as the Ministry of the Interior.\r\nOne of the malware families tied to this group, BADNEWS, continues to be updated both in how it uses dead drop\r\nresolvers, as well as how it communicates with a remote C2 server.\r\nPalo Alto Networks customers are protected against this threat in a number of ways:\r\nTraps blocks the exploit documents witnessed during this campaign\r\nWildFire accurately identifies the samples mentioned in this blog as malicious\r\nThe Patchwork and BADNEWS tags in AutoFocus may be used for continued monitoring and tracking of\r\nthis threat.\r\nAdditionally, the providers being used for dead drops have been notified.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 8 of 11\n\nIndicators of Compromise\r\nMalicious Word Document SHA256 Hashes\r\na67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1\r\n07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd\r\nfd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4\r\nb8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571\r\nd486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2\r\n  BADNEWS SHA256 Hashes\r\nab4f86a3144642346a3a40e500ace71badc06a962758522ca13801b40e9e7f4a\r\n290ac98de80154705794e96d0c6d657c948b7dff7abf25ea817585e4c923adb2\r\n  C2 Servers\r\n185.203.118[.]115\r\n94.156.35[.]204\r\n  Dead Drop Resolvers\r\nhxxp://feed43[.]com/8166706728852850.xml\r\nhxxp://feed43[.]com/3210021137734622.xml\r\nhxxp://www.webrss[.]com/createfeed.php?feedid=49966\r\nhxxp://feeds.rapidfeeds[.]com/88604/\r\n  Script to Decrypt Dead Drop Resolvers\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nimport requests\r\nimport base64\r\nimport binascii\r\nimport re\r\nfrom Crypto.Cipher import Blowfish\r\nfrom struct import pack\r\nrol = lambda val, r_bits, max_bits: (val \u003c\u003c r_bits%max_bits) \u0026 (2**max_bits-1) | ((val \u0026\r\n(2**max_bits-1)) \u003e\u003e (max_bits-(r_bits%max_bits)))\r\nror = lambda val, r_bits, max_bits: ((val \u0026 (2**max_bits-1)) \u003e\u003e r_bits%max_bits) | (val \u003c\u003c (max_bits-\r\n(r_bits%max_bits)) \u0026 (2**max_bits-1))\r\ndef unhexData(d):\r\n  if len(d) % 2:\r\n    d = d.zfill(len(d)+1)\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 9 of 11\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n  return ord(binascii.unhexlify(d))\r\ndef decodeDecrypt(data):\r\n  decdata = ''\r\n  for x in range(len(data)):\r\n    x = x*2\r\n    if x \u003c len(data):\r\n      c = unhexData(data[x])\r\n      add_num = unhexData(data[x+1])\r\n      c = c \u003c\u003c 4\r\n      c = (c + add_num) \u0026 0xff\r\n      c ^= 0x23\r\n      c = rol(c, 3, 8)\r\n      decdata += chr(c)\r\n  data2 = base64.b64decode(decdata)\r\n  key = binascii.unhexlify(\"F0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677\")\r\n  cipher = Blowfish.new(key, Blowfish.MODE_ECB)\r\n  dec = cipher.decrypt(data2)\r\n  return dec\r\nurls = [\r\n  \"http://feeds.rapidfeeds.com/88604\"\r\n]\r\nfor d in urls:\r\n  r = requests.get(d)\r\n  body = r.text\r\n  r = re.search(\"\\[+\\s*([a-zA-Z0-9\\=]+)\\]+\", body)\r\n  if r:\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 10 of 11\n\n39     data = base64.b64decode(r.group(0))\r\n    print(\"[{}] Decrypted C2: {}\".format(d, decodeDecrypt(data).split(\"\\x00\")[0]))\r\nSource: https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" ], "report_names": [ "unit42-patchwork-continues-deliver-badnews-indian-subcontinent" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434776, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/823ac975ea7d0a32d2055faeee970041e5d11a6b.pdf", "text": "https://archive.orkl.eu/823ac975ea7d0a32d2055faeee970041e5d11a6b.txt", "img": "https://archive.orkl.eu/823ac975ea7d0a32d2055faeee970041e5d11a6b.jpg" } }