Persistent long-running Pakistani malware campaign discovered

Organizations and individuals in the government, defense, and technology sectors across India have been targeted by Pakistan-linked threat group Cosmic Leopard, also known as SpaceCobra, in attacks with the GravityRAT Android malware and HeavyLift Windows malware loader as part of Operation Celestial Force, which has been ongoing since 2018, reports The Hacker News.

Attacks by Cosmic Leopard, which has been associated with Transparent Tribe, commenced with the delivery of spearphishing emails redirecting to a malicious site that would then leverage the GravityAdmin hacking tool, which would then choose whether GravityRAT, which has also evolved to target macOS, or HeavyLift would be deployed on the targeted system, an analysis from Cisco Talos Intelligence revealed.

Further examination of the Electron-based HeavyLift malware loader showed system metadata collection and exfiltration and payload execution via server polling capabilities in both Windows and macOS.

"Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent," researchers wrote.