Jul 25, 2025Ravie LakshmananMalware / Risk Intelligence
The risk actor referred to as Patchwork has been attributed to a brand new spear-phishing marketing campaign focusing on Turkish protection contractors with the purpose of gathering strategic intelligence.
“The marketing campaign employs a five-stage execution chain delivered by way of malicious LNK information disguised as convention invites despatched to targets fascinated with studying extra about unmanned car programs,” Arctic Wolf Labs stated in a technical report revealed this week.
The exercise, which additionally singled out an unnamed producer of precision-guided missile programs, seems to be geopolitically motivated because the timing coincides amid deepening protection cooperation between Pakistan and Türkiye, and the current India-Pakistan army skirmishes.
Patchwork, additionally referred to as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, is assessed to be a state-sponsored actor of Indian origin. Recognized to be energetic since no less than 2009, the hacking group has a observe file of placing entities in China, Pakistan, and different international locations in South Asia.
Precisely a 12 months in the past, the Knownsec 404 Crew documented Patchwork’s focusing on entities with ties to Bhutan to ship the Brute Ratel C4 framework and an up to date model of a backdoor referred to as PGoShell.
For the reason that begin of 2025, the risk actor has been linked to numerous campaigns aimed toward Chinese language universities, with current assaults utilizing baits associated to energy grids within the nation to ship a Rust-based loader that, in flip, decrypts and launches a C# trojan referred to as Protego to reap a variety of knowledge from compromised Home windows programs.
One other report revealed by Chinese language cybersecurity agency QiAnXin again in Could stated it recognized infrastructure overlaps between Patchwork and DoNot Crew (aka APT-Q-38 or Bellyworm), suggesting potential operational connections between the 2 risk clusters.
The focusing on of Türkiye by the hacking group factors to an enlargement of its focusing on footprint, utilizing malicious Home windows shortcut (LNK) information distributed by way of phishing emails as a place to begin to kick-off the multi-stage an infection course of.
Particularly, the LNK file is designed to invoke PowerShell instructions which might be accountable for fetching extra payloads from an exterior server (“expouav[.]org”), a website created on June 25, 2025, that hosts a PDF lure mimicking a global convention on unmanned car programs, particulars of that are hosted on the reputable waset[.]org web site.
“The PDF doc serves as a visible decoy, designed to distract the consumer whereas the remainder of the execution chain runs silently within the background,” Arctic Wolf stated. “This focusing on happens as Türkiye instructions 65% of the worldwide UAV export market and develops vital hypersonic missile capabilities, whereas concurrently strengthening protection ties with Pakistan throughout a interval of heightened India-Pakistan tensions.”
Among the many downloaded artifacts is a malicious DLL that is launched utilizing DLL side-loading via a scheduled process, in the end resulting in the execution of shellcode that carries out intensive reconnaissance of the compromised host, together with taking screenshots, and exfiltrating the small print again to the server.
“This represents a big evolution of this risk actor’s capabilities, transitioning from the x64 DLL variants noticed in November 2024, to the present x86 PE executables with enhanced command buildings,” the corporate stated. “Dropping Elephant demonstrates continued operational funding and improvement by architectural diversification from x64 DLL to x86 PE codecs, and enhanced C2 protocol implementation by impersonation of reputable web sites.”
