Back to Blog

Espionage Campaign Sets Sites on Turkish Defense Contractors

January 24, 2018

By: mirabiliscorp


by Tara Seals

January 23, 2018

An unknown actor purporting to be from the tax collection arm of the Turkish government has been carrying out spear-phishing campaigns against Turkish defense contractors.

According to RiskIQ, the perpetrators have been targeting multiple people inside a given organization since November 2017 with weaponized documents that download a remote access Trojan (RAT) named Remcos. Remcos can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs, and manage files. Interestingly, it also has SOCKS5 proxy capabilities: An operator can turn the victims of the crime into proxies for its own network, hiding the real C2 server.

“Regions of the world in geopolitical turmoil, like Turkey, are prime targets for cyber-espionage campaigns,” said RiskIQ researcher Yonathan Klijnsma in a blog. “The group used tactics that have become extremely useful for cyber-spies – spear-phishing emails that social engineer the victim to download an attached or embedded file and then enable macros.”

The email supposedly comes from the Turkish government entity responsible for taxes. The email states that there is a possible tax exemption in place for the receiver if they fill out the attached documents. Although the sender domain,, is valid, the actual email Sender Policy Framework (SPF) verification failed in analysis.


Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.