Pakistan-based threat actors have been observed targeting government entities in India as part of two espionage campaigns, according to separate warnings from Cisco Talos and Volexity.
One of the campaigns, called Operation Celestial Force, has been ongoing since at least 2018, relying on both Android and Windows malware to target individuals in the Indian defense, government, and related technology sectors.
Security researchers at Cisco Talos Intelligence track the threat actor as Cosmic Leopard, but warn that the activity overlaps in tactics, techniques, tooling, and victimology with Transparent Tribe, a known Pakistan-linked state-sponsored group also tracked as APT36 and Mythic Leopard.
“Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent,” Cisco Talos said.
Initially, the threat actor was only using the GravityRAT malware to target Windows users, but has since expanded its arsenal to add an Android version of the remote access tool (RAT) and the Electron-based HeavyLift malware loader.
Cosmic Leopard was seen relying on spear phishing to deliver malicious documents leading to the execution of GravityRAT, as well as engaging with potential victims on social media platforms to gain their trust before sending malicious links to download one of their malware families.
In a separate report, Volexity warns of a Pakistan-based threat actor tracked as UTA0137 that has been observed using the Go-based ‘Disgomoji’ malware to target Indian government entities for espionage purposes.
UTA0137, Volexity says, has been using ‘Disgomoji’ to gain access to Linux systems, suggesting that the attacks have been tailored to the intended victims.
ADVERTISEMENT. SCROLL TO CONTINUE READING.
“Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop.”
The threat actor was also seen exploiting the DirtyPipe (CVE-2022-0847) vulnerability to target BOSS 9 systems, which are still vulnerable.