Priya Patel
TLDR:
- Patchwork hackers target entities with ties to Bhutan using Brute Ratel C4 framework and PGoShell backdoor
- APT-C-09, known as Patchwork, is a state-sponsored threat actor likely of Indian origin
The threat actor known as Patchwork has been linked to a cyber attack targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell. This marks the first time Patchwork has been observed using this red teaming software. The group, also known as APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is likely of Indian origin and known for conducting cyber attacks since at least 2009.
APT-C-09 has been involved in spear-phishing and watering hole attacks against China and Pakistan in the past. The recent attack chain involves a Windows shortcut file designed to download a decoy PDF document, while deploying Brute Ratel C4 and PGoShell retrieved from a remote domain. PGoShell offers functionalities like remote shell capabilities, screen capture, and executing payloads.
In previous attacks, this threat actor has used .NET-based implants and romance-themed lures to compromise Android devices with remote access trojans. They have also been recently observed using open-source command-and-control frameworks to conduct attacks involving previously undocumented malware. The use of advanced tools and tactics makes Patchwork a significant threat in the cybersecurity landscape.
