Multiple government entities and private energy organizations in India have been targeted in a cyberespionage campaign that uses an open source information stealer for data exfiltration, according to a warning from threat intelligence firm EclecticIQ.
As part of the campaign, tagged to as Operation FlightNight, phishing lures masquerading as an invitation letter from the Indian Air Force were sent to various Indian government entities, including agencies for electronic communications, IT governance, and national defense.
The phishing emails carried an ISO file containing the malware and a shortcut file (LNK) posing as the PDF invitation letter. Once opened, it executed the hidden malware, while displaying a decoy document that was likely stolen in a previous intrusion and repurposed.
Immediately after execution, the malware, a modified version of the open source information stealer HackBrowserData, started exfiltrating documents and web browser data from the victim’s machine, including login credentials, cookies, and browsing history.
The same threat actor was also seen targeting Indian energy companies to steal financial documents, employee information, and data about drilling activities in oil and gas.
“In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government’s infrastructure,” EclecticIQ noted.
The attackers modified the HackBrowserData stealer to implement communication over Slack channels, obfuscation, and functionality to exfiltrate Office documents, PDF files, and SQL database files. All harvested data is exfiltrated via attacker-operated Slack channels named FlightNight.
EclecticIQ has found similarities between Operation FlightNight and a GoStealer campaign documented in January 2024 that targeted Indian Air Force officials with an information stealer written in Golang.
“Operation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage. This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment,” EclecticIQ added.
Related: Data of 750 Million Indian Mobile Subscribers Sold on Hacker Forums
Related: Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years