BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?



Pakistani Threat Actors Caught Targeting Indian Gov Entities

Security researchers at Cisco Talos and Volexity flag two Pakistani espionage campaigns targeting Indian government entities.

Pakistan-based threat actors have been observed targeting government entities in India as part of two espionage campaigns, according to separate warnings from Cisco Talos and Volexity.

One of the campaigns, called Operation Celestial Force, has been ongoing since at least 2018, relying on both Android and Windows malware to target individuals in the Indian defense, government, and related technology sectors.

Security researchers at Cisco Talos Intelligence track the threat actor as Cosmic Leopard, but warn that the activity overlaps in tactics, techniques, tooling, and victimology with Transparent Tribe, a known Pakistan-linked state-sponsored group also tracked as APT36 and Mythic Leopard.

“Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent,” Cisco Talos said.

Initially, the threat actor was only using the GravityRAT malware to target Windows users, but has since expanded its arsenal to add an Android version of the remote access tool (RAT) and the Electron-based HeavyLift malware loader.

Cosmic Leopard was seen relying on spear phishing to deliver malicious documents leading to the execution of GravityRAT, as well as engaging with potential victims on social media platforms to gain their trust before sending malicious links to download one of their malware families.

In a separate report, Volexity warns of a Pakistan-based threat actor tracked as UTA0137 that has been observed using the Go-based ‘Disgomoji’ malware to target Indian government entities for espionage purposes.

UTA0137, Volexity says, has been using ‘Disgomoji’ to gain access to Linux systems, suggesting that the attacks have been tailored to the intended victims.

Advertisement. Scroll to continue reading.

“Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop.”

The threat actor was also seen exploiting the DirtyPipe (CVE-2022-0847) vulnerability to target BOSS 9 systems, which are still vulnerable.

Related: Cyberespionage Campaign Targets Government, Energy Entities in India

Related: New Open Source Tool Hunts for APT Activity in the Cloud

Related: Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool

Related: Newly Discovered Android Spyware Linked to State-Sponsored Indian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights