The threat actor known as Patchwork has been linked to a cyber attack targeting businesses with ties to Bhutan to deploy the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell.
The development is the first time the adversary has been seen utilizing the red teaming software, the Knownsec 404 Team noted in an analysis published last week.
The activity cluster, also nicknamed APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor possibly of Indian provenance.
Known for executing spear-phishing and watering hole operations against China and Pakistan, the hacker group is thought to be active since at least 2009, according to data given by Chinese cybersecurity firm QiAnXin.
Last July, Knownsec 404 disclosed details of an espionage effort aimed at universities and research groups in China that exploited a .NET-based implant nicknamed EyeShell to fetch and execute commands from an attacker-controlled server, launch additional payloads, and record screenshots.
Then earlier in February, it was found that the threat actor had deployed romance-themed lures to capture victims in Pakistan and India and compromise their Android devices with a remote access trojan dubbed VajraSpy.
The starting point of the latest observed attack chain is a Windows shortcut (LNK) file that's designed to download a decoy PDF document from a remote domain impersonating the UNFCCC-backed Adaptation Fund, while stealthily deploying Brute Ratel C4 and PGoShell retrieved from a different domain ("beijingtv[.]org").
"PGoShell is developed in the Go programming language; overall, it offers a rich set of functionalities, including remote shell capabilities, screen capture, and downloading and executing payloads," the cybersecurity company claimed.
The development comes months after APT-K-47 – another threat actor sharing tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter – was attributed to attacks involving the use of ORPCBackdoor as well as previously undocumented malware like WalkerShell, DemoTrySpy, and NixBackdoor to harvest data and execute shellcode.
The attacks are particularly significant for employing an open-source command-and-control (C2) framework known as Nimbo-C2, which "enables a wide range of remote control functionalities," Knownsec 404 said.