Threat actor Patchwork accidentally attacked itself with a RAT

Patchworks Exploit 4
Patchworks Exploit 4

Patchworks Exploit

Source: Malwarebytes (Image credit: Source: Malwarebytes)

What you need to know

  • A threat actor known as Patchwork accidentally infected itself with a Remote Administration Trojan.
  • Malwarebytes was able to determine the victims and methodology of Patchwork's attacks and even the local temperature of the threat actor's area.
  • Patchwork's Remote Administration Trojan allowed Malwarebytes to see captured keystrokes and screenshots from the malicious group.

Patchwork, a threat actor based in India, accidentally infected itself with a Remote Administration Trojan (RAT). The ironic incident was discovered by Malwarebytes, which took the opportunity to gain insight as to how Patchwork utilizes RTF files to spread the BADNEWS (Ragnatela) RAT.

"Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines," explained Malwarebytes.

As part of a recent attack, Patchwork spread malicious files by impersonating Pakistani authorities. Documents were sent out as attachments that appeared to be legitimate and important. Instead, the files contained an exploit that can compromise a computer and then execute the RAT.

The following organizations were successfully compromised by the efforts of Patchwork, according to Malwarebytes:

  • Ministry of Defense- Government of Pakistan
  • National Defense University of Islam Abad
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • International center for chemical and biological sciences
  • HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
  • SHU University, Molecular medicine

Patchwork also infected itself with the RAT, which gave Malwarebytes access to quite a bit of information. Malwarebytes was able to see that Patchwork uses VirtualBox and VMWare for development. The security firm also determined that Patchwork uses VPN Secure and CyberGhost to mask its IP address.

Comedically, Malwarebytes was also able to determine the local weather of Patchwork's machines. "Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven't updated their Java yet."

Malwarebytes notes that Patchwork is not as sophisticated as similar attackers in Russia and North Korea.

CATEGORIES
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_. 

Read more
Apple Store in Bangkok, Thailand
Microsoft flags macOS bug — remotely bypassing Apple's sophisticated System Integrity Protection (SIP) security solution and allowing unauthorized third-party rootkit installs
Binary code displayed on a laptop screen and Guy Fawkes mask are seen in this illustration photo.
Microsoft blocks critical Secure Boot loophole after over 7 months — fortifying Windows 11 against sophisticated firmware attacks camouflaged as verified UEFI apps
A DeepSeek artificial intelligence logo and icons on various smartphones or laptops.
DeepSeek is reportedly sending intricate user data to Chinese telecom despite US ban — weeks after suffering a "large-scale cyberattack"
Microsoft CEO Satya Nadella in front of the Microsoft Copilot AI logo.
Windows 11 pirates have a new and unlikely ally — Microsoft Copilot
Satya Nadella on stage at an event in London talking about Copilot
Microsoft killed Skype, confirmed AI in Call of Duty, helped people pirate Windows 11, and began testing Office with ads — ALL IN A SINGLE WEEK
Microsoft global service outage
"Is Slack down, or did I get fired?": Massive outage sparks global workday freedom for millions — reveling in serendipity, "touching grass"
Latest in Microsoft
Cloud servers
Microsoft has killed "several" data center projects in the U.S. and Europe, according to reports — Microsoft responds (Updated)
Steve Ballmer and Bill Gates, former CEOs of Microsoft.
Bill Gates says Satya Nadella almost missed the cut for CEO of Microsoft — Even with Steve Ballmer's support
HP Reverb G2 VR headset
Was Windows Mixed Reality as bad as I remember? I look back at the failed VR platform that was ahead of its time.
Microsoft Majorana 1 chip designed for quantum computing
Microsoft dismisses quantum computing skepticism: "There is a century-old scientific process established by the American Physical Society for resolving disputes"
The Microsoft logo on a smartphone and laptop arranged in Crockett, California, US, on Friday, Dec. 29, 2023.
"Would you say there is a reasonable balance between what you contribute to Microsoft and what you get in return?" Two-thirds of Microsoft employees say YES — as AI engineers get preferential compensation packages.
Like a Dragon Pirate Yakuza in Hawaii screenshot
Microsoft blocks (some) Windows 11 pirates while Lenovo steals the show at Mobile World Congress
Latest in News
Call of Duty: Black Ops 6 Zombies mode screenshots for Shattered Veil map.
The next Call of Duty Zombies map, "Shattered Veil", is dropping earlier than expected
Helldivers 2
The new Helldivers 2 Illuminate Major Order is so important that we got a new stratagem for it
Hogwarts Legacy troll hero image
Hogwarts Legacy DLC reportedly canceled by WB Games
Tom Clancy's Rainbow Six Siege
Rumored Ubisoft and Tencent agreement comes to fruition with 25% stake and new division for the Assassin's Creed developer
In-game screenshot of the player consuming an enemy in Shadow Labyrinth
This isn't your grandpa's Pac-Man — Bandai Namco's iconic character gets a gritty new action game this Summer
Key art for Dragon Quest 1 and 2 HD-2D remake
Every PC and Xbox game shown off during Nintendo Direct March 2025