Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0128: BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

EnterpriseS0128MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BADNEWS matters because it represents a Windows malware family tied in ATT&CK to the Patchwork campaign and to behaviors that support espionage-style operations: persistence, command and control through web/RSS/forum/blog-style channels, discovery, collection from local/removable/network sources, keylogging, screen capture, staging, and tool transfer. For leaders, the decision value is not the malware name itself, but whether the organization can see and contain a Windows endpoint that blends C2 into normal web activity while collecting sensitive files and user input.

Executive priority

Prioritize this as a resilience and evidence question for Windows environments that handle sensitive diplomatic, government, or similar high-value information. Executives should ask whether SOC and IR teams can prove visibility across endpoint persistence, suspicious web-based C2, removable media, network share access, and credential-risk behaviors such as keylogging. Because ATT&CK provides no official detection text or current exploitation claim for this object, investment decisions should focus on validating control coverage against the mapped techniques rather than treating BADNEWS as a standalone indicator-based threat.

Technical view

BADNEWS is listed for Windows and is related to techniques spanning persistence via Scheduled Task and Registry Run Keys/Startup Folder, execution via Windows Command Shell and Native API, stealth via invalid code signatures, resource-name/location matching, and process hollowing, collection from local systems/removable media/network shares, keylogging, screenshots, automated collection, local staging, and C2 using web protocols, web services, encoding, symmetric cryptography, dead-drop resolver, bidirectional communication, and ingress tool transfer. SOC teams should validate that detections correlate endpoint process, persistence, file access, and network web telemetry rather than relying on static malware names or IOCs.

Likely telemetry

  • Windows process creation and command-line telemetry, especially cmd.exe and child-process chains
  • Scheduled Task creation/modification and task execution records
  • Registry Run key and Startup folder modification events
  • Endpoint file creation, rename, and path telemetry for legitimate-looking names or locations
  • Code-signature validation results, including invalid or suspiciously copied signature metadata

Detection direction

  • Build coverage around the related ATT&CK behaviors rather than the BADNEWS name alone, since no official ATT&CK detection guidance is provided.
  • Correlate persistence events with new or unusual binaries, invalid signatures, suspicious naming, and subsequent outbound web traffic.
  • Tune web-C2 analytics carefully: RSS feeds, forums, blogs, and legitimate web services can be normal business traffic, so prioritize rare destinations, unusual user-agent/process associations, beacon-like patterns, and endpoint-to-network correlation.
  • Validate collection analytics for access to local files, removable media, and network shares, especially when followed by staging or outbound web communication.
  • Review false positives from administrative scripts, backup tools, software updaters, and legitimate scheduled tasks before escalating.

Mitigation priorities

  • Confirm Windows endpoint visibility and response capability first: process creation, persistence changes, file activity, removable media, and network connections.
  • Harden persistence surfaces by controlling and monitoring Scheduled Tasks, Run keys, and Startup folders.
  • Use application control and code-signing validation to reduce execution of unsigned or invalidly signed binaries where operationally feasible.
  • Apply least privilege to sensitive local paths and network shares, and reduce unnecessary access from standard user workstations.
  • Govern removable media usage and logging for systems that can access sensitive data.
Analyst notes and limits

ATT&CK links BADNEWS to Patchwork use and to a broad set of behaviors that are useful for defensive validation. The Patchwork description notes cyber espionage activity and targeting of diplomatic and government-related industries, while also stating attribution is not definitive. Glexia would treat this object as a control-mapping and telemetry-validation use case: can the environment detect a Windows implant that persists, collects sensitive data, and communicates over web channels that may appear legitimate?

The supplied ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics specified. No IOCs, current activity claims, victim exposure, or guaranteed detections are provided. Several related techniques list platforms beyond Windows, but the BADNEWS object itself is supplied as Windows; local applicability should be confirmed against the actual estate and available telemetry.

Official MITRE ATT&CK definition

BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

24 rows
Domain ID Name Relationship / procedure
Enterprise T1102.001 Dead Drop Resolver Sub-technique

BADNEWS collects C2 information via a dead drop resolver.[1]CitationPaloAlto Patchwork Mar 2018[2]
Enterprise T1071.001 Web Protocols Sub-technique

BADNEWS establishes a backdoor over HTTP.CitationPaloAlto Patchwork Mar 2018
Enterprise T1113 Screen Capture

BADNEWS has a command to take a screenshot and send it to the C2 server.[1]CitationPaloAlto Patchwork Mar 2018
Enterprise T1005 Data from Local System

When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1]CitationPaloAlto Patchwork Mar 2018
Enterprise T1573.001 Symmetric Cryptography Sub-technique

BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[1][2]
Enterprise T1574.001 DLL Sub-technique

BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[1]CitationPaloAlto Patchwork Mar 2018
Enterprise T1132 Data Encoding

After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.[1]
Enterprise T1056.001 Keylogging Sub-technique

When it first starts, BADNEWS spawns a new thread to log keystrokes.[1]CitationPaloAlto Patchwork Mar 2018[2]
Enterprise T1102.002 Bidirectional Communication Sub-technique

BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.[1]CitationPaloAlto Patchwork Mar 2018[2]
Enterprise T1036.001 Invalid Code Signature Sub-technique

BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[2]
Enterprise T1119 Automated Collection

BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.[2]
Enterprise T1053.005 Scheduled Task Sub-technique

BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.CitationPaloAlto Patchwork Mar 2018
Enterprise T1039 Data from Network Shared Drive

When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1]
Enterprise T1132.001 Standard Encoding Sub-technique

BADNEWS encodes C2 traffic with base64.[1]CitationPaloAlto Patchwork Mar 2018[2]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

BADNEWS installs a registry Run key to establish persistence.[1]
Enterprise T1025 Data from Removable Media

BADNEWS copies files with certain extensions from USB devices to a predefined directory.[2]
Enterprise T1059.003 Windows Command Shell Sub-technique

BADNEWS is capable of executing commands via cmd.exe.[1][2]
Enterprise T1055.012 Process Hollowing Sub-technique

BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.[1][2]
Enterprise T1105 Ingress Tool Transfer

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[1]CitationPaloAlto Patchwork Mar 2018[2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

BADNEWS attempts to hide its payloads using legitimate filenames.CitationPaloAlto Patchwork Mar 2018
Enterprise T1106 Native API

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[1][2]
Enterprise T1074.001 Local Data Staging Sub-technique

BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.[1][2]
Enterprise T1083 File and Directory Discovery

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[2]
Enterprise T1120 Peripheral Device Discovery

BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[1][2]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0040: Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1102.001: Dead Drop Resolver Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1132: Data Encoding Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1036.001: Invalid Code Signature Enterprise uses · Technique T1119: Automated Collection Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1039: Data from Network Shared Drive Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1025: Data from Removable Media Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1055.012: Process Hollowing Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Group G0040: Patchwork Enterprise uses · Technique T1083: File and Directory Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
1142d9b5df78c2e9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 1142d9b5df78…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Forcepoint Monsoon

    Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

    Open source URL
  2. [2]
    TrendMicro Patchwork Dec 2017

    Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

    Open source URL
  3. [3]
    BADNEWS

    (Citation: Forcepoint Monsoon)

  4. [4]
    mitre-attack S0128
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use