Hackers linked to Pakistan are involved in a long-running malware campaign called "Operation Celestial Force", which has been running since at least 2018. According to researchers from Cisco Talos, this campaign uses the GravityRAT malware for Android and the HeavyLift loader for Windows. Management is performed using a separate GravityAdmin tool.
Cyber experts have attributed this malicious activity to the Cosmic Leopard group (also known as SpaceCobra), which shows tactical similarities to the Transparent Tribe.
"Operation Celestial Force has been active since 2018 and continues to evolve, using increasingly sophisticated and diverse malware, which indicates a high level of success in attacking users in the Indian subcontinent," researchers Asir Malhotra and Vitor Ventura noted in their technical report.
GravityRAT was first detected in 2018 as a malware for Windows that attacked Indian organizations through phishing emails. Since then, the malware has been adapted to run on Android and macOS, making it a feature-rich tool.
Last year, Meta and ESET reported continuing to use the Android version of GravityRAT, aimed at the military in India, as well as employees of the Pakistani Air Force, disguising it as cloud storage, entertainment and chat applications.
Hackers use the GravityAdmin program to coordinate attacks. They actively use phishing and social engineering to gain the trust of potential victims, and then send them a link to a malicious site with a program that installs GravityRAT or HeavyLift, depending on the operating system.
GravityRAT has been in the arsenal of cybercriminals since 2016, and GravityAdmin - since August 2021. The latter malware is used to manage infected systems via hackers ' C2 servers.
GravityAdmin includes several built-in user interfaces for various campaigns, such as "FOXTROT", "CLOUDINFINITY" and "CHATICO" for Android devices, as well as "CRAFTWITHME", "SEXYBER" and "CVSCOUT" for HeavyLift attacks.
HeavyLift is a new piece of software that hackers have only recently introduced. It is an Electron-based downloader distributed through malicious Windows installers, and has some similarities to the Electron-based versions of GravityRAT described by Kaspersky Lab in 2020.
Once launched, the malware collects and sends system metadata to the C2 server and periodically requests new tasks to complete. It can also perform similar functions on macOS.
"This multi — year operation continuously targets Indian organizations and individuals associated with defense, government and technology," the researchers emphasized.
Cyber experts have attributed this malicious activity to the Cosmic Leopard group (also known as SpaceCobra), which shows tactical similarities to the Transparent Tribe.
"Operation Celestial Force has been active since 2018 and continues to evolve, using increasingly sophisticated and diverse malware, which indicates a high level of success in attacking users in the Indian subcontinent," researchers Asir Malhotra and Vitor Ventura noted in their technical report.
GravityRAT was first detected in 2018 as a malware for Windows that attacked Indian organizations through phishing emails. Since then, the malware has been adapted to run on Android and macOS, making it a feature-rich tool.
Last year, Meta and ESET reported continuing to use the Android version of GravityRAT, aimed at the military in India, as well as employees of the Pakistani Air Force, disguising it as cloud storage, entertainment and chat applications.
Hackers use the GravityAdmin program to coordinate attacks. They actively use phishing and social engineering to gain the trust of potential victims, and then send them a link to a malicious site with a program that installs GravityRAT or HeavyLift, depending on the operating system.
GravityRAT has been in the arsenal of cybercriminals since 2016, and GravityAdmin - since August 2021. The latter malware is used to manage infected systems via hackers ' C2 servers.
GravityAdmin includes several built-in user interfaces for various campaigns, such as "FOXTROT", "CLOUDINFINITY" and "CHATICO" for Android devices, as well as "CRAFTWITHME", "SEXYBER" and "CVSCOUT" for HeavyLift attacks.
HeavyLift is a new piece of software that hackers have only recently introduced. It is an Electron-based downloader distributed through malicious Windows installers, and has some similarities to the Electron-based versions of GravityRAT described by Kaspersky Lab in 2020.
Once launched, the malware collects and sends system metadata to the C2 server and periodically requests new tasks to complete. It can also perform similar functions on macOS.
"This multi — year operation continuously targets Indian organizations and individuals associated with defense, government and technology," the researchers emphasized.
