Russia Faces Aerospace Cyber Espionage

Posted on By Finstein.ai No Comments on Russia Faces Aerospace Cyber Espionage

UNG0901 deploys EAGLET backdoor via phishing, stealing defense data from firms like VASO
July 2025

A cyber-espionage campaign dubbed Operation Cargo Talon is targeting the Russian aerospace and defense sectors, delivering a backdoor named EAGLET for data exfiltration. The operation has been attributed to a threat cluster identified as UNG0901 (Unknown Group 901).

Primary Target

The campaign focuses on Voronezh Aircraft Production Association (VASO) a major Russian aircraft manufacturer using spear-phishing emails themed around cargo delivery documents (TTN) critical to Russian logistics.

Attack Chain

  • The email contains a ZIP file with a malicious .LNK shortcut.
  • Opening the LNK file executes PowerShell to display a decoy Excel file referencing Obltransterminal (a U.S.-sanctioned Russian logistics company), while simultaneously deploying the EAGLET DLL backdoor.
  • EAGLET then contacts a hardcoded C2 server (185.225.17[.]104) to receive commands.

Malware Capabilities

EAGLET:

  • Gathers system information
  • Enables shell access
  • Supports file upload and download

Although the current C2 server is offline, its infrastructure suggests ongoing or future operations.

Threat Actor Overlap

Researchers at Seqrite Labs noted similarities between EAGLET and another malware called PhantomDL, both offering shell-based access and data transfer functions. They also found naming pattern overlaps with the Head Mare threat cluster, known for targeting Russian entities.

Hive0156 Targets Ukraine

Separately, Russian state-linked actor UAC-0184 (Hive0156) is conducting new attacks on Ukrainian targets using Remcos RAT.

  • Emails include weaponized LNK or PowerShell files, which retrieve a decoy document and deploy Hijack Loader (IDAT Loader).
  • The loader then installs Remcos RAT, which enables remote control and surveillance on compromised systems.
  • IBM X-Force reports recent campaigns are focused on Ukrainian military themes, with possible expansion to broader geopolitical targets.

Attackers won’t wait. Why should you? Upgrade immediately.

praveen@finstein.ai | www.cyber.finstein.ai

Source: Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor

#SpearPhishing#MalwareAnalysis#PowerShellAttack#DLLInjection#CommandAndControl#TTPs (Tactics, Techniques and Procedures)#LNKFileThreat#RemoteAccessTroja#OperationCargoTalon#EAGLETMalware#UNG0901#PhantomDL#HeadMare#Hive0156#RemcosRAT#CyberEspionage#APTActivity#CyberThreatIntelligence

Aerospace Espionage

Cyber Tags:

Related Posts

Weekly Cyber Intelligence Brief Global Threats & Breaches Cyber
Cybersecurity Intelligence Weekly, Global Threat Landscape (Sept 1–7, 2025) Cyber
Iranian Cyber Offensive Shows Unprecedented Coordination Cyber
CAPTCHA geddon’ Click Fix Malware Campaign Emerges Captcha
Critical Flaws in Claude AI Code Assistant Patched Ai
Cyber Breach Disrupts NCLT Kolkata Virtual Hearing Cyber

Leave a Reply

Your email address will not be published. Required fields are marked *