A threat actor known as Patchwork This is attributed to a new spear fishing campaign targeting Turkish defense contractors with the goal of gathering strategic information.
“The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as a meeting invitation sent to targets interested in learning more about unmanned vehicle systems,” Arctic Wolf Labs said in a technical report released this week.
The action of selecting an unknown manufacturer of precision guided missile systems also appears geopolitical motivated by its timing coincidence in deepening defence cooperation between Pakistan, Churkiye and the recent skirmish between India-Pakistani military.
Also known as APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, the patchwork is rated as a state-sponsored actor of Indian origin. Hacking groups known to have been active since at least 2009 have a track record of impressive organizations in China, Pakistan and other countries in South Asia.
Just a year ago, the known Sec 404 team provided an updated version of the patchwork targeting entity with a link to Blue Tan with a Blue Tratel C4 framework and a backdoor called Pgoshell.
Since its launch in 2025, threat actors have been linked to various campaigns targeting Chinese universities, with recent attacks using bait associated with domestic power grids to supply bait to provide rusty loaders and launch C# Trojan called Protego to harvest a wide range of information from a reduced windows system.
Another report released in May by Chinese cybersecurity firm Qianxin identifies infrastructure overlap between Patchwork and the DONOT team (aka APT-Q-38 or ventricularis), suggesting potential operational ties between the two threat clusters.
Targeting Türkiye by hacking groups points to an extension of the targeting footprint using malicious Windows Shortcuts (LNK) files distributed via phishing emails as a starting point for kicking off the multi-stage infection process.
Specifically, the LNK file is designed to invoke PowerShell commands responsible for obtaining additional payloads from an external server (“expouav(.)org”), the domain created on June 25, 2025.
“The PDF document acts as a visual decoy and is designed to distract the user, with the rest of the execution chain running quietly in the background,” says Arctic Wolf. “This targeting will occur as Türkiye commands 65% of the global UAV export market, developing key Hi-sonic missile capabilities, while strengthening defence ties with Pakistan during periods of rising tensions between India and Pakistan.”
Among the downloaded artifacts are malicious DLLs launched using DLL sideloads using scheduled tasks, which ultimately lead to the execution of shellcode that performs extensive reconnaissance of compromised hosts, such as taking screenshots and returning details to the server.
“This represents a significant evolution of this threat actor’s ability to migrate from the X64 DLL variant observed in November 2024 to the current X86 PE executable with enhanced command structure,” the company said. “Elephant Drops demonstrate continued operational investment and development through architectural diversification from the X64 DLL to the X86 PE format, enhancing the implementation of the C2 protocol through legitimate website impersonation.”
