In a significant development, Russian aerospace and defense industries have emerged as primary targets of a sophisticated cyber espionage operation referred to as Operation CargoTalon. This campaign, attributed to a threat cluster known as UNG0901, seeks to exploit vulnerabilities within critical sectors by deploying a backdoor malware dubbed EAGLET, aimed at data exfiltration.
The attack primarily targets employees of the Voronezh Aircraft Production Association (VASO), leveraging cargo delivery-themed spear-phishing emails that contain ZIP archives. Inside these archives, a Windows shortcut file uses PowerShell to present an inconspicuous Microsoft Excel document while simultaneously implanting EAGLET into the victim’s system, as detailed in a recent analysis by Seqrite Labs researcher Subhajeet Singha (source).
According to Seqrite’s assessment, the decoy document references Obltransterminal, a Russian railway container terminal operator recently sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024. As the campaign unfolds, EAGLET gathers crucial system information to connect to a hard-coded remote server, processing HTTP responses to execute further commands on compromised machines.
The scope of EAGLET’s capabilities includes shell access and data transmission, with uncertain payload objects downloaded or uploaded through its command-and-control server, which is presently offline. Seqrite also noted a pattern of similar malicious activities that intersect with the Russian military sector and have connections to another threat cluster, Head Mare, further underscoring the intricate web of cyber threats faced by Russian entities.
This latest revelation comes at a time when the state-sponsored hacking group UAC-0184, also known as Hive0156, has been linked to a renewed wave of attacks against Ukrainian targets using the Remcos Remote Access Trojan. IBM X-Force reported that Hive0156 has adapted its tactics, employing weaponized LNK or PowerShell files capable of initiating the malware delivery directly.