Operatives linked to Pakistan have been tied to an enduring malware operation identified as Operation Celestial Force since at least 2018.
This ongoing campaign involves the utilization of an Android malware referred to as GravityRAT and a Windows-based malware loader known as HeavyLift, as disclosed by Cisco Talos. These are managed through an independent tool named GravityAdmin.
The cybersecurity experts have credited the breach to an opponent recognized as Cosmic Leopard (also known as SpaceCobra), with similarities in tactics to the group known as Transparent Tribe.
“Commencing in 2018, Operation Celestial Force is still in operation today, employing an expanding and evolving suite of malware — suggesting a high degree of success in targeting individuals in the Indian subcontinent,” remarked security analysts Asheer Malhotra and Vitor Ventura in a technical report shared with The Hacker News.
Initially introduced in 2018 targeting Indian organizations through spear-phishing emails, GravityRAT has since expanded its functionality to work on Android and macOS systems, transforming it into a versatile tool.
Recent discoveries by Meta and ESET in the previous year demonstrated the continued use of the Android variant of GravityRAT to target military personnel in India and the Pakistan Air Force, disguising itself as cloud storage, entertainment, and chat applications.
Cisco Talos’ research unifies these distinct but connected activities under one umbrella, showing that the threat actor employs GravityAdmin to coordinate these assaults.
Cosmic Leopard primarily uses spear-phishing and social engineering to gain the trust of potential targets, subsequently directing them to a malicious site that prompts the download of an apparently harmless program delivering GravityRAT or HeavyLift depending on the platform.
GravityRAT has reportedly been operational as early as 2016. On the other hand, GravityAdmin is a binary used to take control of compromised systems since at least August 2021 by establishing links with GravityRAT and HeavyLift’s command-and-control (C2) servers.
“GravityAdmin comprises multiple built-in User Interfaces (UIs) specific to codenamed campaigns run by malicious operators,” the researchers explained. “For instance, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO‘ refer to all Android-based GravityRAT infections, while ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ are names associated with HeavyLift attacks.”
Another discovery is HeavyLift, an Electron-based malware loader family distributed through malicious installations targeting the Windows system. It shares similarities with past Electron versions of GravityRAT documented by Kaspersky in 2020.
Once activated, the malware can collect and transmit system metadata to a predefined C2 server, periodically checking for new payloads to execute on the system. Additionally, it is designed to perform similar tasks on macOS systems.
“Over multiple years, this operation consistently targeted various Indian organizations and individuals, likely linked to defense, government, and associated technology sectors,” state the researchers.
About Author
