A recent cyber espionage operation, identified as Operation CargoTalon, has taken aim at Russia’s aerospace and defense sectors, leveraging a stealthy backdoor named EAGLET to extract sensitive data from targeted systems.

Cybersecurity researchers from Seqrite Labs have attributed the campaign to an unidentified threat group known as UNG0901 (Unknown Group 901). Their analysis reveals that the attackers specifically targeted personnel from the Voronezh Aircraft Production Association (VASO) — one of Russia’s prominent aircraft manufacturers.

The attackers used spear-phishing emails as their primary infection vector. These emails carried fake cargo delivery notifications and included ZIP archives containing Windows LNK (shortcut) files. When executed, these shortcuts trigger PowerShell commands that both display a decoy Excel document and covertly install the EAGLET malware on the victim’s machine.

Interestingly, the fake Excel files refer to Obltransterminal, a Russian freight terminal operator that has been under U.S. Treasury sanctions since February 2024. This tactic adds a layer of legitimacy to the lure and may be designed to increase trust among the recipients.

Once deployed, EAGLET collects system-level information and connects to a hardcoded remote server (185.225.17[.]104) to receive instructions via HTTP. The malware enables remote shell access and supports file uploads and downloads, although the current state of the infrastructure means the exact follow-up payloads remain unknown — the command-and-control server is now offline.

Further investigations by Seqrite suggest this isn’t an isolated case. Similar tactics and payloads have been observed in attacks targeting Russia’s military infrastructure. Additionally, code similarities and overlapping victim profiles connect this activity to another known threat group, Head Mare, which also targets Russian entities. Notably, EAGLET shares functional traits with PhantomDL, a Go-based backdoor featuring similar remote access capabilities.

This revelation arrives as another Russian-linked actor, UAC-0184 (Hive0156), intensifies its own cyber operations — this time against targets in Ukraine. In these recent campaigns, Hive0156 has relied on simplified attack chains using weaponized LNK and PowerShell scripts to deliver Remcos RAT, a well-known remote access tool. These attacks use decoy files referencing military themes, indicating a possible focus on Ukrainian defense personnel and potentially a broader target group moving forward.

As cyber threats continue to evolve in complexity and geopolitical scope, these incidents highlight the growing sophistication and cross-border ambitions of modern espionage-focused threat actors.

Source: https://thehackernews.com/2025/07/cyber-espionage-campaign-hits-russian.html