A squad of Indian cyberspies has been infected with their own homemade remote access trojan (RAT), which has exposed their operations to security researchers.
The threat actor has been online since December 2015 or earlier, according to reports, and is being traced as PatchWork due to a copy-pasted code.
Malwarebytes Labs discovered that the threat actors utilize dodgy RTG documents posing as Pakistani officials to infect targets with a variant named BADNEWS RAT known as Ragnatela during the PatchWork campaign, which took place between November and December 2021.
RAGNATELA will provide criminals the ability to perform commands, capture keystrokes, grab screenshots, steal sensitive files, upload files, see a list of running apps, and launch other payloads.
Malwarebytes Labs claimed that they were able to identify the perpetrators because they were infected by their own RAT, which allowed security researchers to collect screenshots and keystrokes.
When the researchers discovered that the persons behind PatchWork were infected with the RAT, they used VirtualBox and VMware to keep an eye on them.
The researchers were able to compile a list of the group’s victims, which included the Pakistan Ministry of Defense, various university molecular medicine and biological science departments, and others.
PatchWorks is suspected of being responsible for cyberattacks and spear-phishing activities against US think tanks in March 2018 and European government entities in May 2016.
Via: Bleeping Computer