Connect with us

Hi, what are you looking for?



Cyberespionage Campaign Targets Government, Energy Entities in India

Threat intelligence firm EclecticIQ documents the delivery of malware phishing lures to government and private energy organizations in India.

Multiple government entities and private energy organizations in India have been targeted in a cyberespionage campaign that uses an open source information stealer for data exfiltration, according to a warning from threat intelligence firm EclecticIQ.

As part of the campaign, tagged to as Operation FlightNight, phishing lures masquerading as an invitation letter from the Indian Air Force were sent to various Indian government entities, including agencies for electronic communications, IT governance, and national defense.

The phishing emails carried an ISO file containing the malware and a shortcut file (LNK) posing as the PDF invitation letter. Once opened, it executed the hidden malware, while displaying a decoy document that was likely stolen in a previous intrusion and repurposed.

Immediately after execution, the malware, a modified version of the open source information stealer HackBrowserData, started exfiltrating documents and web browser data from the victim’s machine, including login credentials, cookies, and browsing history.

The same threat actor was also seen targeting Indian energy companies to steal financial documents, employee information, and data about drilling activities in oil and gas.

“In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government’s infrastructure,” EclecticIQ noted.

The attackers modified the HackBrowserData stealer to implement communication over Slack channels, obfuscation, and functionality to exfiltrate Office documents, PDF files, and SQL database files. All harvested data is exfiltrated via attacker-operated Slack channels named FlightNight.

EclecticIQ has found similarities between Operation FlightNight and a GoStealer campaign documented in January 2024 that targeted Indian Air Force officials with an information stealer written in Golang.

Advertisement. Scroll to continue reading.

“Operation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage. This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment,” EclecticIQ added.

Related: Data of 750 Million Indian Mobile Subscribers Sold on Hacker Forums

Related: Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years

Related: Chinese Cyberspies Targeting ASEAN Entities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...