McAfee attributed a campaign against Turkish financial and government-linked finance organizations to Hidden Cobra based on Bankshot code similarity, victim sector, and control-server strings. Spear-phishing emails carried malicious Word documents with embedded Flash content exploiting CVE-2018-4878, which downloaded and executed Bankshot DLL implants from the lookalike domain falcancoin.io. The victims observed on March 2 and 3 included a major government-controlled financial organization, another Turkish government finance and trade organization, and three large Turkish financial institutions, with no other sectors or countries seen in telemetry. Bankshot acted as a backdoor for persistence and follow-on access, dynamically loading APIs, decrypting C2 strings, beaconing through HTTP POST fields such as board_id and user_id, and supporting commands for file listing, process control, system discovery, command execution, file read/write, deletion, and loading additional libraries. The activity matters because the implant closely matched earlier Bankshot variants associated with Hidden Cobra financial operations and could represent reconnaissance for a future financial heist.