Researchers have uncovered a multi-year campaign orchestrated by Pakistani cyber forces.
Pakistan-linked hackers have been involved in a long-running malware campaign called "Operation Celestial Force" that has been going on since at least 2018. According to researchers at Cisco Talos, this campaign uses the GravityRAT malware for Android and the HeavyLift downloader for Windows. Management is carried out using a separate GravityAdmin tool.
Cyber experts have attributed this malicious activity to the Cosmic Leopard group (also known as SpaceCobra), which shows tactical similarities to the Transparent Tribe.
“Operation Celestial Force has been active since 2018 and continues to evolve with increasingly sophisticated and varied malware, demonstrating a high level of success in targeting users in the Indian subcontinent,” researchers Asir Malhotra and Vitor Ventura noted in their technical report. .
GravityRAT was first discovered in 2018 as Windows malware that targeted Indian organizations through phishing emails. Since then, the malware has been adapted to run on Android and macOS, making it a multi-functional tool.
Last year, Meta and ESET reported the continued use of an Android version of GravityRAT targeting military personnel in India and Pakistan Air Force personnel by masquerading as cloud storage, entertainment and chat applications.
To coordinate attacks, hackers use the GravityAdmin program. They actively use phishing and social engineering to gain the trust of potential victims, after which they send them a link to a malicious site with a program that installs GravityRAT or HeavyLift, depending on the operating system.
GravityRAT has been in the arsenal of cybercriminals since 2016, and GravityAdmin since August 2021. The latest malware is used to control infected systems through hackers' C2 servers.
GravityAdmin includes several built-in user interfaces for various campaigns, such as "FOXTROT", "CLOUDINFINITY" and "CHATICO" for Android devices, as well as "CRAFTWITHME", "SEXYBER" and "CVSCOUT" for HeavyLift attacks.
HeavyLift is a new software that hackers have recently acquired. It is an Electron-based downloader distributed through malicious Windows installers, and has some similarities to the Electron-based versions of GravityRAT described by Kaspersky Lab in 2020.
Once executed, the malware collects and sends system metadata to the C2 server and periodically requests new tasks to be executed. It can also perform similar functions on macOS.
“This multi-year operation has continuously targeted Indian organizations and individuals associated with defense, government and technology,” the researchers said.
Pakistan-linked hackers have been involved in a long-running malware campaign called "Operation Celestial Force" that has been going on since at least 2018. According to researchers at Cisco Talos, this campaign uses the GravityRAT malware for Android and the HeavyLift downloader for Windows. Management is carried out using a separate GravityAdmin tool.
Cyber experts have attributed this malicious activity to the Cosmic Leopard group (also known as SpaceCobra), which shows tactical similarities to the Transparent Tribe.
“Operation Celestial Force has been active since 2018 and continues to evolve with increasingly sophisticated and varied malware, demonstrating a high level of success in targeting users in the Indian subcontinent,” researchers Asir Malhotra and Vitor Ventura noted in their technical report. .
GravityRAT was first discovered in 2018 as Windows malware that targeted Indian organizations through phishing emails. Since then, the malware has been adapted to run on Android and macOS, making it a multi-functional tool.
Last year, Meta and ESET reported the continued use of an Android version of GravityRAT targeting military personnel in India and Pakistan Air Force personnel by masquerading as cloud storage, entertainment and chat applications.
To coordinate attacks, hackers use the GravityAdmin program. They actively use phishing and social engineering to gain the trust of potential victims, after which they send them a link to a malicious site with a program that installs GravityRAT or HeavyLift, depending on the operating system.
GravityRAT has been in the arsenal of cybercriminals since 2016, and GravityAdmin since August 2021. The latest malware is used to control infected systems through hackers' C2 servers.
GravityAdmin includes several built-in user interfaces for various campaigns, such as "FOXTROT", "CLOUDINFINITY" and "CHATICO" for Android devices, as well as "CRAFTWITHME", "SEXYBER" and "CVSCOUT" for HeavyLift attacks.
HeavyLift is a new software that hackers have recently acquired. It is an Electron-based downloader distributed through malicious Windows installers, and has some similarities to the Electron-based versions of GravityRAT described by Kaspersky Lab in 2020.
Once executed, the malware collects and sends system metadata to the C2 server and periodically requests new tasks to be executed. It can also perform similar functions on macOS.
“This multi-year operation has continuously targeted Indian organizations and individuals associated with defense, government and technology,” the researchers said.
