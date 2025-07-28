Attacks spreading the EAGLET information-stealing backdoor have been deployed by the threat operation UNG0901 against aerospace and defense organizations across Russia, according to The Hacker News.
Major Russian aircraft production firm Voronezh Aircraft Production Association had its employees targeted with a spear-phishing email using cargo-themed lures that include a ZIP archive, a report from Seqrite Labs revealed. Integrated within the archive is an LNK file leveraging PowerShell to simultaneously show a fake Microsoft Excel document referencing the U.S.-sanctioned Russian railway container terminal operator Obltransterminal alongside the EAGLET DLL implant, which facilitates data exfiltration and additional payload delivery. Further analysis showed that EAGLET is similar to the Go-based PhantomDL backdoor, not only due to the presence of file download or upload capabilities but also in terms of phishing attachment nomenclature. These findings come after Ukraine was reported by IBM X-Force researchers to have been subjected to an attack by Russian state-backed threat group UAC-0184, also known as Hive0156, spreading the Remcos RAT malware via phishing emails involving military-themed lures.
