Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration.
The activity, dubbed Operation CargoTalon, has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901).
“The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations,” Seqrite Labs researcher Subhajeet Singha said in an analysis published this week.
The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host.
The decoy document, per Seqrite, references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.
EAGLET is designed to gather system information and establish a connection to a hard-coded remote server (“185.225.17[.]104”) in order to process the HTTP response from the server and extract the commands to be executed on the compromised Windows machine.
The implant supports shell access and the ability to upload/download files, although the exact nature of the next-stage payloads delivered through this method is unknown, given that the command-and-control (C2) server is currently offline.
Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that’s known to target Russian entities.
This includes the functional parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file download/upload feature, as well as the similarities in the naming scheme used for the phishing message attachments.
The disclosure comes as the Russian state-sponsored hacking group called UAC-0184 (aka Hive0156) has been attributed to a fresh attack wave targeting victims in Ukraine with Remcos RAT as recently as this month.
While the threat actor has a history of delivering Remcos RAT since early 2024, newly spotted attack chains distributing the malware have been simplified, employing weaponized LNK or PowerShell files to retrieve the decoy file and the Hijack Loader (aka IDAT Loader) payload, which then launches Remcos RAT.
“Hive0156 delivers weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos RAT,” IBM X-Force said, adding it “observed key decoy documents featuring themes that suggest a focus on the Ukrainian military and evolving to a potential wider audience.”
