{
	"id": "b5ecdb1d-b5bf-43bc-b104-63918273df5f",
	"created_at": "2026-04-06T00:10:15.908345Z",
	"updated_at": "2026-04-10T13:12:28.767396Z",
	"deleted_at": null,
	"sha1_hash": "abdedb504ecf953777fc00b6493c376b9c581077",
	"title": "Espionage Campaign Spear Phishes Turkish Defense Contractors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 909227,
	"plain_text": "Espionage Campaign Spear Phishes Turkish Defense Contractors\r\nPublished: 2018-01-23 · Archived: 2026-04-05 18:56:26 UTC\r\nRegions of the world in geopolitical turmoil, like Turkey, are prime targets for cyber espionage campaigns.\r\nStarting in mid-November, an unknown actor purporting to be from the tax collection arm of the Turkish\r\ngovernment began a spear phishing campaign against a Turkish defense contractor. The group used tactics that\r\nhave become extremely useful for cyber spies—spear phishing emails that social engineer the victim to download\r\nan attached or embedded file and then enable macros. These macros contain executable files that download a\r\nRemote Access Trojan (RAT), which can log keystrokes, take screenshots, record audio and video from a webcam\r\nor microphone, and install and uninstall programs and manage files.\r\nRiskIQ identified multiple employees within the targeted organization that were affected. The first email we were\r\nalerted to was sent on November 16 at around 6 a.m. The email, which we censored from victim PII, looked like\r\nthis:\r\nFig-1 Example of the spear phishing email\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 1 of 9\n\nAnalysis – Stage 1 Email Attachment\r\nThe email supposedly comes from the Turkish government entity responsible for taxes. The email states that there\r\nis a possible tax exemption in place for the receiver if he/she fills out the attached documents. Although the sender\r\ndomain, gerlirler.gov.tr, is valid, if we check the actual email SPF verification, we can see that it failed:\r\nReceived-SPF: Fail (domain gelirler.gov.tr does not designate 185.85.204.180 as a permitted sender),\r\nclient-ip=\u003c185.85.204.180\u003e; identity=\u003cposta2@gelirler.gov.tr\u003e; helo=\u003clnx1.hostingfabrika.com\u003e;\r\nProprietary data within RiskIQ PassiveTotal shows the IP sending the email messages hosts a law firm\r\nwebsite: https://community.riskiq.com/projects/d731e758-cc96-b68e-4286-fe8b8f2308f1?guest=true:\r\nFig-2 Site for a law firm also hosted on the IP from which the emails came\r\nWhile it could, of course, be a fake website, it’s more likely a compromised host as it also contained phishing\r\npages for the dating website Match.com:\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 2 of 9\n\nFig-3 A phishing page also hosted on the IP\r\nNormal email for the Gelirler domain would come from the IP specified in the MX record of gelirler.gov.tr, which\r\nis 212.133.164.130. Their SPF records, which enforce this process, have been set to “v=spf1 mx -all.”\r\nThe attachment is an XLS document with the title “2017-94197 SAYILI GENELGE [DUYURU].xls.” Opening\r\nthe document shows a prevalent attack flow: Macros.\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 3 of 9\n\nFig-4 Malicious attachment encouraging the user to enable macros\r\nThe Turkish text above the image translates to: “Microsoft Office Macro error, enable macros for viewing,” a\r\nmessage that social engineers the user to enable macros.\r\nThe macro contains a slightly obfuscated malicious executable file inside. The executable data is stored inside the\r\nmacro in the form of arrays with integer values spread throughout the macro script. The data from the arrays is\r\ncombined and written to disk in the Application Data folder. The filename chosen seems to be random for every\r\nmacro—most likely generated automatically.\r\nFig-5 The arrays as seen in the macro, converting the values shows a stripped PE header.\r\nIn the XLS shown above, the PE is written to %appdata%\\brqco.exe and executed. This file is a small (3kb)\r\nloader, which downloads the second stage of the attack. The loader has no imports, but at runtime, resolves the\r\nUrlDownloadToFile function from the URLMON library to download stage two, and then ShellExecute from\r\nkernel32 to run the downloaded stage two. The stage-two payload downloads from\r\nhxxp://unifscon[.]com/R9_Sys.exe.  \r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 4 of 9\n\nAnalysis – Stage 2 RAT\r\nStage two of the attack is a packed piece of malware, and the packer used is Visual Basic-based. After the malware\r\nunpacks, it carries the unmistakable leftover information pointing to a RAT known as ‘Remcos’—specifically, it\r\nseems, the paid Pro version:\r\nFig-6 Stage two of the attack\r\nRemcos is a tool supposedly sold for ‘remote administration’ purposes, but like many of these services, it’s used in\r\ndigital attacks often. Current Remcos functionality includes:\r\nFile operations: download, upload, modify, and search for files on infected machines\r\nScreen reading: automated screenshotting of the infected machine\r\nRegistry operations: full control of the registry\r\nInteraction functionality: an operator can open a chat session with the victim\r\nSteal or modify the clipboard\r\nExecute (VBS) scripts or executables\r\nTasks (automate any of the above functionality to run periodically)\r\nUse infected hosts as SOCKS5 proxies (direct and reverse, allows for tunneling and proxying)\r\nMore information on Remcos, additional reference samples, unpacked samples, and write-ups can be found on\r\nMalpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nOne interesting piece of functionality is the SOCKS5 proxy capabilities. An operator can turn the victims of the\r\ncrime into proxies for its own network, hiding the real C2 server. We can see the operator do this in this campaign.\r\nThe C2 server configured for the attack on the defense contractor is civita2.no-ip.biz. RiskIQ has also seen\r\ncivita1.no-ip.biz used in other samples of the same campaign (more on this later). While the emails started\r\nappearing around mid-November, the operator had a C2 server in place already—a rented server at Leaseweb. We\r\ncan see the server first appear in DNS routing on July 18:\r\nFig-7 Resolution info for the C2 server used in the attack\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 5 of 9\n\nThen, a little while after sending out the spear phishing emails, we can see the IP resolution change with, most\r\nlikely, IP addresses of compromised machines used for SOCKS5 proxying to hide the C2:\r\nFig-8 IP resolution info for the c2 server changing\r\nWhile almost all IP addresses are under AS12978, which is a Turkish broadband IP pool, the only one other IP\r\naddress in the list is 176.239.143.116, which comes from a Turkish mobile connection.\r\nThe odds are that the listed IP addresses belong to victims turned into SOCKS5 proxies or a single victim with\r\npredictably good uptime. The first IP address we noticed was most likely the C2 server at which they started. It’s\r\npossible that the actors are still using it, but have hidden it behind the SOCKS5 proxies of their victims.\r\nAnalysis – Additional Infrastructure and Malware Samples\r\nOne interesting aspect of this campaign is that the C2 domain formats are clearly numbered in civita[0-9]+.no-ip.biz format. We found one more set like the previous one on shared IP space, which follows the komot[0-\r\n9]+.punkdns.pw pattern:\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 6 of 9\n\nFig-9 C2 following the same pattern\r\nThis set of domains also comes back if we investigate the domain used to spread the initial RAT from the\r\nunifscon.com domain. Here is a list of filepaths and the configured C2:\r\nunifscon.com filepath C2\r\n/R9_Sys.exe komot1.punkdns.pw:5700\r\n/Favos.exe civita2.no-ip.biz:4042\r\n/NWConn.exe civita1.no-ip.biz:8484\r\n/R9_Sys7.exe komot1.punkdns.pw:7500\r\nSomething to note is that the initial URL from which the stager would download a payload, located at\r\nunifscon.com/R9_sys.exe, changed payloads often during our research. This lead to a lot of overlap in the\r\ninfrastructure of the attack linking the four domains we’ve mentioned together.\r\nThe full set of discovered samples based on the distribution domain and the C2 domains can be found in our\r\nRiskIQ Community project listed in the next section. Additionally, for those with VirusTotal Intelligence\r\ndashboard access, we suggest close monitoring of the following submitter ID: 2c5391fa. This Russia-based\r\nsubmitter seems to be a pre-leading cause to a lot of samples we see appearing online in VirusTotal—some\r\nuploads are WinRAR SFX self-extracting containers or just plain samples.\r\nIndicators of Compromise (IOCs)\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 7 of 9\n\nThe indicators of the campaign (IOCs)  targeting the defense contractor can be found in the table below. Keep in\r\nmind that while the IP addresses listed on the network IOC section aren’t all the IP addresses to which the domain\r\npointed, they are only the IP addresses to which the host pointed during the campaign described above.\r\nWe would also like to point out that this campaign wasn’t run on its own—far before this campaign, the actors\r\nused these domains in other attacks. Pivoting through the related IP addresses can give some additional insights\r\ninto the vast infrastructure of this attacker, which seems to be relying on using its victims as the SOCKS5 tunnels’\r\nproxies.\r\nAdditional IOCs based on expanding our search criteria and pivoting on the C2s yielded a very large set, which is\r\navailable (combined with the IOCs for the defense contractor) in our RiskIQ Community Project:\r\nhttps://community.riskiq.com/projects/d731e758-cc96-b68e-4286-fe8b8f2308f1?guest=true\r\nFilesystem IOCs\r\nSHA256 Note\r\n70b1a96ca6a9cf93a9945bec1f0c2ff793c2f34f5c9aa9f975f5386a6467bb8c\r\nStage 1 Excel document\r\nwith macro\r\nfa606bfc64fb2940a423610ebd41ff79eac67c74059a4120d1583e88550b13b7\r\nStage 1 Excel document\r\nwith macro\r\n8483e94c60b90898dd9677b080ec664d63c43d0978c0bb871c6f2b04cb6c9a12\r\nStage 1 Excel document\r\nwith macro\r\n9aa8dd5141166ee252ab61d3e518e5730ffe8fd2acfd8cd820f990d20bc468a2\r\nStage 1 Excel document\r\nwith macro\r\nfa27d7833b743d1960fdd51a5a250f6869835bb7560a4eb9d61f32d590c2ab60 Stage 2 Loader\r\n07fdd507deff1680361b7106298575d0128983173d3670e5b830d8566190c39a Stage 2 Loader\r\nac3a2db520592abe8497abf2db14bb3a2468e11768b4585cc1ffc057971aac3d Stage 3 RAT\r\neb367f22531f2346898c1f9bca69b8f03742bee5aa4fec51f29f5fd9520a446f Stage 3 RAT\r\n0ca47d69249b42f2a7b2a60e4fbd2058a70b6d43eee549ab5ea31523289da09a Stage 3 RAT\r\nNetwork IOCs\r\nDomain IP Address\r\ncivita1.no-ip.biz 178.162.197.211\r\n31.200.14.84\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 8 of 9\n\n213.183.40.59\r\ncivita2.no-ip.biz\r\n31.200.14.84\r\n31.200.11.249\r\n31.200.17.0\r\n31.200.13.36\r\n176.239.143.116\r\n31.200.12.44\r\nkomot1.punkdns.pw\r\n212.7.208.121\r\n136.0.3.219\r\n213.183.40.59\r\nkomot2.punkdns.pw 213.183.40.59\r\nFor a full, continuously updated list of IOCs related to this attack, visit the RiskIQ Community Public Project\r\nhere: https://community.riskiq.com/projects/d731e758-cc96-b68e-4286-fe8b8f2308f1?guest=true\r\nSource: https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nhttps://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/"
	],
	"report_names": [
		"spear-phishing-turkish-defense-contractors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abdedb504ecf953777fc00b6493c376b9c581077.pdf",
		"text": "https://archive.orkl.eu/abdedb504ecf953777fc00b6493c376b9c581077.txt",
		"img": "https://archive.orkl.eu/abdedb504ecf953777fc00b6493c376b9c581077.jpg"
	}
}