███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

Protego

rat1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Protego

CATEGORY:

RAT

DESCRIPTION:

Protego is a sophisticated C# remote access trojan (RAT) associated with the Patchwork APT group (APT-Q-36). It is delivered through malicious LNK files disguised as PDF documents and uses Rust-based loaders with shellcode decryption. The malware establishes two-stage communication with C2 servers, collects system information including hostname, username, device UUID, and OS details, and supports extensive remote control capabilities including file operations, process management, and memory execution.

ALIASES:

Protego RAT

TAGS:

remote_accesscsharpshellcode_decryptiontwo_stage_communicationfile_operationsprocess_management

[MUTEX_SIGNATURES](1)

[MUTEX_01]

kiuwqyergljkwef

ANALYST: @adhikara13 DATE: 2025-07-30

REFERENCES:

https://www.secrss.com/articles/80795

https://ti.qianxin.com/blog/articles/apt-q-36-impersonates-university-domain-names-to-steal-secrets-en/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Patchwork

⚠White Elephant

⚠Hangover

⚠Dropping Elephant

⚠APT-Q-36

FIRST_OBSERVED:

2025

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:5

ALIASES:1

TAGS:6

CATEGORY:RAT

Malware profile loaded successfully