Skip to content

TA397 targets Turkish defense sector with spearphishing campaign

  • by
  • 3 min read

Photo: Hüseyin Sevgi | Pixabay

A sophisticated spearphishing campaign attributed to the Advanced Persistent Threat (APT) group TA387, also known as ‘Bitter,’ has recently been uncovered targeting defence sector organisations in Turkey. The attack underscores a significant evolution in TA397’s techniques, as it leverages NTFS Alternate Data Streams (ADS) alongside decoy documents to deliver malware and establish persistence.

Researchers noted that the group operates predominantly during UTC+5:30 hours, a detail consistent with South Asian origins. Additionally, TA397’s targeting of defence, energy, and public sector organisations in EMEA and APAC regions reinforces the conclusion that their activities support South Asian government intelligence priorities.

The operation began with a carefully crafted email using the subject line ‘Public investments projects 2025_Madagascar.’ Attached to the email was an RAR file containing three distinct components: a legitimate-looking decoy PDF titled ‘~tmp.pdf’ about a World Bank infrastructure project in Madagascar, a shortcut file disguised as a PDF, and ADS files embedding malicious PowerShell code.

TA397 attack chain explained. | Source: Proofpoint

These elements were designed to deceive the recipient into executing the malware while obscuring its true nature.

Upon opening the RAR archive with standard Windows extraction tools, only the LNK file was visible to the target, while other components remained hidden. Advanced tools like 7-Zip, however, could reveal hidden ADS streams. Executing the LNK file triggered a command that utilised the ADS PowerShell payload.

This action simultaneously opened the decoy PDF to avoid suspicion and created a scheduled task named ‘DvSvcCleanp.’ This task exfiltrated system information, including the username and computer name, to the attacker-controlled domain jacknwoods[.]com every 17 minutes, furthering the infection chain.

Decoy PDF. | Source: Proofpoint

Researchers discovered that the attack involved two malware payloads: WmRAT and MiyaRAT. WmRAt is a long-utilised remote access trojan capable of data exfiltration, directory enumeration, and executing arbitrary commands. MiyaRAT, the newer of the two, shares many of WmRAT’s capabilities and employs junk threads to complicate forensic analysis.

WmRAT was connected to samsnewlooker[.]com, while MiyaRAT was connected to samsnewlooker[.]com, each domain likely representing attacker-controlled infrastructure.

TA397’s infrastructure included the staging domain jacknwoods[.]com used to distribute the malware payloads. The observed patterns in domain registration and hosting provider align with TA397’s previous campaigns, further corroborating attribution.

In the News: Russian-linked APT29 launches espionage campaign via RDP

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>