Pantegana RAT

Pantegana is an open-source Remote Access Trojan (RAT) written in Go, that works on multiple platforms (Windows, Linux, macOS). It uses HTTPS for C2 communications so data is sent encrypted between the infected system and the attacker. It supports direct command execution, multiple sessions, file transfer and system fingerprinting. It’s cross platform and uses HTTPS so it’s a very stealthy tool for attackers.

Key Insights

Pantegana is written in Go so it works on multiple platforms (Windows, Linux, macOS). This cross-platform feature allows attackers to target multiple systems without modifying the malware for each platform. The RAT can execute commands directly on the host system without using intermediary shells like bash or sh, making it more efficient and less detectable.

Command-and-Control

Pantegana uses HTTPS for C2, so data is encrypted between the infected host and the attacker. This encrypted channel supports file uploads and downloads, system fingerprinting, and multiple session management. HTTPS not only encrypts the data but also allows the malware to blend in with regular network traffic and evade detection.

Real-World Deployment

In mid-2024, the TAG-100 group used Pantegana in a global cyber-espionage campaign against high-profile government and private sector organizations in the Asia-Pacific region. To gain initial access, they exploited known vulnerabilities in internet-facing systems like Microsoft Exchange Server and SonicWall appliances. Then, they deployed Pantegana to gain persistent access so they could monitor and exfiltrate sensitive data.

Known Variants

As of now, there are no known variants of Pantegana. It’s open-source so threat actors can modify and adapt it to their needs. But there are no publicly documented modified versions. This could be because the malware is relatively new and there’s limited reporting in public threat intelligence feeds.

Mitigation Strategies

Update and patch all internet facing systems.
Install intrusion detection systems to monitor for suspicious HTTPS traffic.
Run security audits to find and fix potential entry points.
Train employees on phishing and social engineering.

Targeted Industries or Sectors

Pantegana has been used in attacks against multiple sectors. TAG-100 targeted high profile government entities, intergovernmental organizations, private sector companies especially in the Asia-Pacific region. The campaign also hit diplomatic entities, ministries of foreign affairs, industry trade associations, semiconductor supply-chain companies, non-profits and religious organizations. This wide range of targeting shows the malware’s versatility and the attackers’ interests are wide.

Associated Threat Actors

The threat actor group TAG-100 has been identified as the primary user of Pantegana. In 2024, TAG-100 ran a cyber-espionage campaign using Pantegana to compromise multiple organizations globally. TAG-100’s activities show they are focused on intelligence gathering from government and private sector entities. TAG-100’s origin is still under investigation but their targeting and tactics are consistent with espionage.