Russian aerospace and defense sectors have come under a cyber espionage campaign that uses a backdoor named EAGLET to steal sensitive data.
The campaign, called Operation CargoTalon, has been linked to a threat group identified as UNG0901 (Unknown Group 901).
According to Subhajeet Singha of Seqrite Labs, the operation targets employees of the Voronezh Aircraft Production Association (VASO), a key aircraft manufacturer in Russia. Attackers use товарно-транспортная накладная (TTN) documents, which are vital to Russian logistics, as part of the scheme.
The attack starts with a spear-phishing email that includes cargo delivery-themed bait. Inside the email is a ZIP file containing a Windows shortcut (LNK) that runs PowerShell to show a fake Excel document while silently installing the EAGLET DLL implant. The decoy document refers to Obltransterminal, a Russian railway container terminal operator sanctioned by the U.S. Treasury's OFAC in February 2024.
EAGLET is built to collect system data and connect to a fixed remote server (185.225.17[.]104). It reads the server’s HTTP response to extract commands and execute them on the infected Windows system. The implant allows shell access and file transfers, but the full extent of its capabilities is unclear since the command-and-control server is offline.
Seqrite also found similar attacks using EAGLET against the Russian military, along with code and targeting similarities to another group called Head Mare, which also focuses on Russian entities. EAGLET shares features with PhantomDL, a Go-based backdoor that enables shell access and file transfers. The phishing emails in both cases follow a similar naming pattern.
This news comes as another Russian state-backed hacking group, UAC-0184 (also known as Hive0156), has launched new attacks on Ukrainian targets using Remcos RAT. Although this group has deployed Remcos RAT since early 2024, their latest campaigns are more streamlined, using malicious LNK or PowerShell files to fetch decoys and load the Hijack Loader, which then runs Remcos RAT.
IBM X-Force reports that Hive0156 continues to use Microsoft LNK and PowerShell files to distribute Remcos RAT. The decoy documents suggest a primary focus on Ukraine's military, though the scope may be expanding.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
