Threat actor Patchwork accidentally attacked itself with a RAT

Patchwork attacking itself allowed Malwarebytes to see how the threat actor operates.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What you need to know

What you need to know

Patchwork, a threat actor based in India, accidentally infected itself with a Remote Administration Trojan (RAT). The ironic incident was discovered by Malwarebytes, which took the opportunity to gain insight as to how Patchwork utilizes RTF files to spread the BADNEWS (Ragnatela) RAT.

“Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines,“explained Malwarebytes.

As part of a recent attack, Patchwork spread malicious files by impersonating Pakistani authorities. Documents were sent out as attachments that appeared to be legitimate and important. Instead, the files contained an exploit that can compromise a computer and then execute the RAT.

The following organizations were successfully compromised by the efforts of Patchwork, according to Malwarebytes:

Patchwork also infected itself with the RAT, which gave Malwarebytes access to quite a bit of information. Malwarebytes was able to see that Patchwork uses VirtualBox and VMWare for development. The security firm also determined that Patchwork uses VPN Secure and CyberGhost to mask its IP address.

Comedically, Malwarebytes was also able to determine the local weather of Patchwork’s machines. “Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet.”

Malwarebytes notes that Patchwork is not as sophisticated as similar attackers in Russia and North Korea.

Get the Windows Central Newsletter

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He’s covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean’s journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.