S0128: BADNEWS
Analyst context for executives and security teams
BADNEWS matters because it represents a Windows malware family tied in ATT&CK to the Patchwork campaign and to behaviors that support espionage-style operations: persistence, command and control through web/RSS/forum/blog-style channels, discovery, collection from local/removable/network sources, keylogging, screen capture, staging, and tool transfer. For leaders, the decision value is not the malware name itself, but whether the organization can see and contain a Windows endpoint that blends C2 into normal web activity while collecting sensitive files and user input.
Executive priority
Prioritize this as a resilience and evidence question for Windows environments that handle sensitive diplomatic, government, or similar high-value information. Executives should ask whether SOC and IR teams can prove visibility across endpoint persistence, suspicious web-based C2, removable media, network share access, and credential-risk behaviors such as keylogging. Because ATT&CK provides no official detection text or current exploitation claim for this object, investment decisions should focus on validating control coverage against the mapped techniques rather than treating BADNEWS as a standalone indicator-based threat.
Technical view
BADNEWS is listed for Windows and is related to techniques spanning persistence via Scheduled Task and Registry Run Keys/Startup Folder, execution via Windows Command Shell and Native API, stealth via invalid code signatures, resource-name/location matching, and process hollowing, collection from local systems/removable media/network shares, keylogging, screenshots, automated collection, local staging, and C2 using web protocols, web services, encoding, symmetric cryptography, dead-drop resolver, bidirectional communication, and ingress tool transfer. SOC teams should validate that detections correlate endpoint process, persistence, file access, and network web telemetry rather than relying on static malware names or IOCs.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and child-process chains
- Scheduled Task creation/modification and task execution records
- Registry Run key and Startup folder modification events
- Endpoint file creation, rename, and path telemetry for legitimate-looking names or locations
- Code-signature validation results, including invalid or suspiciously copied signature metadata
Detection direction
- Build coverage around the related ATT&CK behaviors rather than the BADNEWS name alone, since no official ATT&CK detection guidance is provided.
- Correlate persistence events with new or unusual binaries, invalid signatures, suspicious naming, and subsequent outbound web traffic.
- Tune web-C2 analytics carefully: RSS feeds, forums, blogs, and legitimate web services can be normal business traffic, so prioritize rare destinations, unusual user-agent/process associations, beacon-like patterns, and endpoint-to-network correlation.
- Validate collection analytics for access to local files, removable media, and network shares, especially when followed by staging or outbound web communication.
- Review false positives from administrative scripts, backup tools, software updaters, and legitimate scheduled tasks before escalating.
Mitigation priorities
- Confirm Windows endpoint visibility and response capability first: process creation, persistence changes, file activity, removable media, and network connections.
- Harden persistence surfaces by controlling and monitoring Scheduled Tasks, Run keys, and Startup folders.
- Use application control and code-signing validation to reduce execution of unsigned or invalidly signed binaries where operationally feasible.
- Apply least privilege to sensitive local paths and network shares, and reduce unnecessary access from standard user workstations.
- Govern removable media usage and logging for systems that can access sensitive data.
Analyst notes and limits
ATT&CK links BADNEWS to Patchwork use and to a broad set of behaviors that are useful for defensive validation. The Patchwork description notes cyber espionage activity and targeting of diplomatic and government-related industries, while also stating attribution is not definitive. Glexia would treat this object as a control-mapping and telemetry-validation use case: can the environment detect a Windows implant that persists, collects sensitive data, and communicates over web channels that may appear legitimate?
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics specified. No IOCs, current activity claims, victim exposure, or guaranteed detections are provided. Several related techniques list platforms beyond Windows, but the BADNEWS object itself is supplied as Windows; local applicability should be confirmed against the actual estate and available telemetry.
BADNEWS
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | BADNEWS collects C2 information via a dead drop resolver.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BADNEWS establishes a backdoor over HTTP.CitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1113 | Screen Capture | BADNEWS has a command to take a screenshot and send it to the C2 server.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1005 | Data from Local System | When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.CitationForcepoint MonsoonCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1132 | Data Encoding | After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.CitationForcepoint Monsoon |
| Enterprise | T1056.001 | Keylogging Sub-technique | When it first starts, BADNEWS spawns a new thread to log keystrokes.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1119 | Automated Collection | BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.CitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1039 | Data from Network Shared Drive | When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.CitationForcepoint Monsoon |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | BADNEWS encodes C2 traffic with base64.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BADNEWS installs a registry Run key to establish persistence.CitationForcepoint Monsoon |
| Enterprise | T1025 | Data from Removable Media | BADNEWS copies files with certain extensions from USB devices to a predefined directory.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BADNEWS is capable of executing commands via cmd.exe.CitationForcepoint MonsoonCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.CitationForcepoint MonsoonCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.CitationForcepoint MonsoonCitationPaloAlto Patchwork Mar 2018CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BADNEWS attempts to hide its payloads using legitimate filenames.CitationPaloAlto Patchwork Mar 2018 |
| Enterprise | T1106 | Native API | BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.CitationForcepoint MonsoonCitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | BADNEWS copies documents under 15MB found on the victim system to is the user's |
| Enterprise | T1083 | File and Directory Discovery | BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1120 | Peripheral Device Discovery | BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.CitationForcepoint MonsoonCitationTrendMicro Patchwork Dec 2017 |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1142d9b5df78… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Forcepoint Monsoon
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Open source URL -
[2]
TrendMicro Patchwork Dec 2017
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Open source URL -
[3]
BADNEWS
(Citation: Forcepoint Monsoon)
-
[4]
mitre-attack S0128Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.