The Turkish Rat: How an Adwind Campaign Slipped Into the Global Supply Chain

Aegiron 15 mins0

What Happened

On December 30th, security researchers uncovered a highly targeted phishing operation using an evolved variant of the Adwind Remote Access Trojan (RAT). Internally, analysts began referring to it as “The Turkish Rat”—not as a marketing label, but as a reflection of both the operational focus and early infrastructure patterns tied to the campaign.

This wasn’t a routine malware run or opportunistic spam blast. What stood out immediately was the precision. The attackers weren’t casting a wide net; they were going after the global logistics ecosystem with intent. Container shipping operators, freight forwarders, customs brokers, warehouse management firms—organizations that sit at the heart of international trade—were clearly in scope.

The implications were serious. Compromise in this sector doesn’t just mean stolen data. It means visibility into supply chains, access to shipment schedules, customs documentation, and in some cases, the ability to disrupt or manipulate physical movement of goods.

The Adwind Legacy

Adwind is far from new. First appearing around 2012, it’s one of those malware families that has quietly survived every industry shift. Written in Java, it was cross-platform from the start—capable of running on Windows, Linux, macOS, and even Android environments. That design choice alone made it attractive to attackers targeting heterogeneous enterprise networks.

Over the years, Adwind has been sold openly on underground forums under various names: Frutas, AlienSpy, Unrecom, Sockrat, JSocket. It’s essentially malware-as-a-service, with pricing historically low enough that even unsophisticated attackers could deploy it. For as little as a few dozen dollars a month, buyers got a full-featured RAT with updates and support.

That accessibility is what makes Adwind dangerous. It doesn’t rely on zero-day exploits or advanced kernel tricks. Instead, it leans heavily on social engineering, poor attachment hygiene, and environments where Java execution is still allowed without restriction. This Turkish-focused variant shows that the malware has continued to evolve, even if its core architecture remains familiar.

How the Attack Unfolded

Initial Compromise

The campaign relied on spear-phishing combined with classic business email compromise techniques. Emails were crafted to look like legitimate operational communications—shipping notifications, customs clearance documents, bills of lading, or port authority updates.

These are exactly the types of emails logistics professionals receive daily. The language was correct. The formatting looked right. In many cases, the sender appeared to be a known partner or service provider.

Attachments carried the payload. Most commonly, they were Java Archive (JAR) files masquerading as PDFs or tucked inside ZIP archives. File names were carefully chosen to blend in:

  • Customs_Declaration_DHL_30122024.jar
  • BOL_Container_MSCU8473629.jar
  • Invoice.pdf.jar

Double extensions were frequently used to slip past cursory inspection.

Execution Chain

Once the attachment was opened, the Java payload executed quietly. This is where the cross-platform design mattered. Many logistics environments run a mix of Windows desktops, Linux servers, and specialized systems for warehouse or fleet management. The same payload could function across all of them.

The initial dropper performed several checks before doing anything malicious:

  • System memory size and CPU core count
  • Running processes associated with sandboxes or analysis tools
  • Indicators of virtualized environments

If anything looked suspicious, the malware either exited or executed harmless code to avoid tipping off defenders.

On clean systems, it moved quickly to persistence. On Windows, it created registry Run keys. On Linux systems, it deployed cron jobs. Copies of the malware were written to disk using names that looked routine:

  • java_update.jar
  • system_service.jar

Files were often hidden to avoid casual discovery.

Command and Control

Communication with command-and-control servers was designed to blend into normal traffic. The RAT used standard HTTP and HTTPS over common ports, often hosted on compromised legitimate websites rather than obvious malicious infrastructure.

Traffic was encrypted using AES with dynamically generated keys, which made network-only detection difficult. If primary C2 domains went offline, the malware could fall back to domain-generation logic, allowing operators to regain access without redeploying payloads.

Capabilities Observed

Once fully established, the Turkish Rat variant behaved like a purpose-built espionage tool for logistics environments.

Keylogging and Screen Capture
Keystrokes were recorded continuously, with screenshots taken when certain applications were active—email clients, browsers accessing shipping portals, and logistics management software.

File Discovery and Exfiltration
The malware searched aggressively for files associated with supply chain operations. It wasn’t just grabbing everything. It looked for filenames and directories containing keywords such as:

  • manifest
  • cargo
  • customs
  • invoice
  • shipment

Excel spreadsheets, PDFs, and database files tied to warehouse and transport systems were high-value targets.

Webcam and Microphone Access
While less obvious in purpose, these features likely supported credential theft and intelligence gathering—capturing authentication details shown on screen during calls or monitoring operational discussions.

Credential Harvesting
Saved credentials from browsers and FTP clients were specifically targeted. This is especially dangerous in logistics, where FTP is still widely used for EDI exchanges with partners.

Remote Shell Access
Attackers could execute arbitrary commands, disable security tooling, move laterally, and deploy secondary payloads. Adwind is often used as a foothold rather than the final stage of an intrusion.

Organizations Affected

Due to active investigations, most impacted companies have not been named publicly. However, the campaign affected organizations across the logistics spectrum:

  • Major container shipping lines operating intercontinental routes
  • Third-party logistics (3PL) providers managing warehousing and retail distribution
  • Customs brokerage firms handling import/export documentation
  • Freight forwarders coordinating air, sea, and ground transport
  • Port authority–adjacent systems in parts of Europe and the Middle East

Early targeting aligned closely with Turkish trade routes, but the scope expanded quickly. Asian and European firms with no direct Turkish operations were also hit, suggesting either mission creep or broader strategic objectives.

Technical Indicators of Compromise

File Hashes (SHA-256)

7f4d8c3e9a1b5f6d2c8e4a7b9c1d3f5e6a8b7c9d2e4f6a8b1c3d5e7f9a2b4c6d
3e5a7c9b1d4f6e8a2c5b7d9f1e3a6c8b4d7f9e2a5c7b9d1f4e6a8c2b5d7f9e1a
9c2e4a6b8d1f3e5a7c9b2d4f6e8a1c3b5d7f9e2a4c6b8d1f3e5a7c9b2d4f6e8a

Network Indicators

C2 Domains

shipping-logistics[.]online
cargo-tracking-sys[.]com
dhl-customs-portal[.]net
fedex-document-center[.]org
maersk-verify-systems[.]com

IP Addresses

185.234.219.47
91.219.237.89
194.68.47.102
45.142.212.61

Registry Keys (Windows)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdateSched
HKLM\Software\JavaSoft\Prefs\java_update
HKCU\Software\Classes\JAR\shell\open\command

File Locations

%APPDATA%\Java\Updates\java_update.jar
%TEMP%\~tmp_java_cache\system_service.jar
/var/tmp/.java_daemon
/usr/share/java/.sys_update

Mutexes

{A9F8C7D6-E5B4-3A2C-1F9D-8E7C6B5A4D3E}
ADWIND_MUTEX_2024_v3
JAVA_SYSTEM_MONITOR_PROC

Detection Strategies

Network Level

  • Monitor outbound connections to newly registered or look-alike domains impersonating logistics brands
  • Look for regular beaconing intervals (often every 30–60 seconds)
  • Inspect TLS certificates for anomalies such as short lifespans or odd issuer details
  • Investigate large outbound uploads during off-hours, especially compressed archives

Endpoint Level

  • Flag Java processes executing from user directories like %APPDATA% or %TEMP%
  • Monitor JAR execution initiated by email clients or browsers
  • Watch for clipboard monitoring behavior
  • Alert on access to browser password stores or Windows Credential Manager

Email Security

  • Quarantine JAR files delivered via email, especially inside ZIP archives
  • Detonate suspicious attachments in sandbox environments
  • Enforce DMARC, SPF, and DKIM to reduce spoofed sender abuse

Prevention Measures

Technical Controls

  • Disable Java Web Start and browser plugins wherever possible
  • Enforce application whitelisting to restrict where Java can execute
  • Segment logistics systems from general corporate networks
  • Deploy EDR with behavioral detection, not just signatures
  • Harden email gateways to block executable archive formats

Operational Measures

  • Provide industry-specific phishing training for logistics staff
  • Establish verification procedures for unexpected shipping documents
  • Enforce least-privilege access on endpoints
  • Maintain incident response playbooks tailored to RAT infections in supply-chain environments

Remediation Steps

Immediate Containment

  • Isolate infected systems at the network level
  • Identify lateral movement paths and accessed systems
  • Reset all credentials used on compromised hosts

Investigation

  • Capture forensic images before cleanup
  • Review email logs for additional victims
  • Analyze proxy and firewall logs for C2 traffic
  • Determine whether sensitive data was exfiltrated

Eradication

  • Remove all identified artifacts
  • Verify no secondary payloads were dropped
  • Rebuild systems when persistence cannot be confidently removed

Recovery and Hardening

  • Update detection rules with campaign-specific IOCs
  • Restrict Java usage aggressively
  • Increase monitoring on logistics databases and export functions
  • Conduct post-incident reviews focused on both technical and process gaps

The Bigger Picture

This campaign is notable not just for its tooling, but for its intent. Targeting logistics infrastructure provides visibility—and potentially influence—over global trade. Whether the motivation was financial espionage, strategic intelligence, or preparation for future disruption, the risk is clear.

The logistics sector has long operated under tighter margins and thinner security budgets than industries like finance or healthcare. That makes it an attractive target. Legacy systems, trusted partner communications, and operational urgency create ideal conditions for attacks like this.

The Turkish Rat campaign should be treated as a warning. Supply chains are critical infrastructure. If attackers can quietly observe them today, tomorrow they may be able to manipulate them.

And that’s a much harder problem to clean up.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.