BADNEWS

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Badnews is a sophisticated malware utilized by Patchwork, an Indian Advanced Persistent Threat (APT) group. This malicious software has been used to infiltrate Pakistani government agencies, stealing sensitive information through spear-phishing tactics. The malware infects systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal data, and even hold data hostage for ransom. In recent campaigns, Badnews has been deployed alongside the EyeShell backdoor on compromised systems, illustrating the evolving nature of the threat. The Badnews malware payload has undergone significant updates since its last public report in December 2017. It traditionally leveraged legitimate third-party websites to host the malware’s command and control (C2) information, acting as “dead drops”. However, recent observations show modifications to how the malware obtains its C2 server information and alterations to the C2 communication process. The malware communicates with remote servers using HTTP protocol after collecting the necessary C2 information. These updates, along with the use of recent EPS-based exploits, indicate that the threat actors behind Badnews are actively refining their toolsets to stay ahead of security measures. Badnews performs many functions associated with previous versions, including keylogging and identifying files of interest. During its C2 communications, Badnews sends initial pings to the remote server, including strings containing the victim’s information. The malware then communicates with the previously identified C2 via HTTP. Previous variants of Badnews looked for data between '{{' and '}}', and used a simple cipher to decode this data. The continued evolution of Badnews, both in how it uses dead drop resolvers and communicates with a remote C2 server, underscores the need for ongoing vigilance and advanced cybersecurity measures.
What's your take? (Question 1 of 0)
2a0598ca-1c15-475f-9ba8-9170211cd826 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BADNEWS Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of the Pakistani government
CERT-EU
9 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of the Pakistani government
CERT-EU
10 months ago
India-linked Patchwork APT targets Chinese research orgs with EyeShell backdoor