Russian aerospace and defense industries have become the target of Operation CargoTalon, a cyber espionage campaign deploying the EAGLET backdoor for data exfiltration. The operation primarily targets Voronezh Aircraft Production Association employees using cargo delivery-themed spear-phishing emails containing malicious ZIP files. EAGLET collects system information and connects to a predefined remote server for command execution. Similar attacks are observed in the military sector, revealing connections with another threat cluster, Head Mare, highlighting the continued risk to Russian entities from cyber threats.
The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents - critical to Russian logistics operations.
EAGLET is designed to gather system information and establish a connection to a hard-coded remote server ("185.225.17[.]104") in order to process the HTTP response from the server and extract the commands to be executed on the compromised Windows machine.
Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that's known to target Russian entities.
Collection
[
|
...
]