Hackers from Pakistan linked to Malware Campaign
Hackers linked to Pakistan have been associated with a long-running malware campaign, known as Operation Celestial Force, since at least 2018.
This campaign employs Android malware called GravityRAT and a Windows-based malware loader named HeavyLift, managed via a tool called GravityAdmin, according to Cisco Talos. The group, tracked as Cosmic Leopard (or SpaceCobra), shares tactical similarities with Transparent Tribe.
Operation Celestial Force has been continuously active and successful, especially in targeting users in the Indian subcontinent. GravityRAT, initially a Windows malware revealed in 2018, has evolved into a multi-platform tool capable of targeting Android and macOS systems. It primarily uses spear-phishing emails to harvest sensitive data from compromised hosts.
Further findings from Meta and ESET in 2022 showed the use of the Android variant of GravityRAT to target military personnel in India and the Pakistan Air Force, disguised as cloud storage, entertainment, and chat applications. Cisco Talos’ research consolidates these activities under the operation driven by GravityAdmin.
Cosmic Leopard often uses spear-phishing and social engineering to gain the trust of targets before directing them to download malicious programs that deploy GravityRAT or HeavyLift, depending on the operating system. GravityRAT has been operational since 2016, while GravityAdmin has been commandeering systems since August 2021.
HeavyLift, the latest addition to the threat actor’s arsenal, is an Electron-based malware loader targeting Windows systems. It gathers system data and periodically polls a command-and-control server for new payloads. The operation has consistently targeted Indian defense, government, and technology sectors.
