HomeCyber BalkansOperation Celestial Force Utilizing Android and Windows Malware

Operation Celestial Force Utilizing Android and Windows Malware

Published on

spot_img

A cyber espionage campaign known as Operation Celestial Force, orchestrated by a Pakistani threat actor group dubbed Cosmic Leopard, has been targeting Indian entities over multiple years through the deployment of sophisticated malware tools and social engineering tactics.

The group first emerged in 2018, leveraging the GravityRAT malware to infiltrate Windows systems before eventually evolving to target Android devices as well. The initial infection vectors included malicious documents and social engineering techniques, with spearphishing emails being a common method used to deceive victims into downloading the malware.

In 2019, Cosmic Leopard expanded their arsenal by introducing HeavyLift, a malware loader that was distributed through fake installers. Each operation within Operation Celestial Force was intricately managed through custom “GravityAdmin” panels, demonstrating the group’s commitment to orchestrating targeted cyber attacks with precision.

The utilization of GravityRAT, a remote-access Trojan designed for both Windows and Android platforms, served as a key component of the group’s operations. This malware, alongside HeavyLift, was controlled through the GravityAdmin interface, a sophisticated framework that enabled the management of multiple malicious campaigns simultaneously.

The GravityAdmin panel facilitated communication with campaign-specific command-and-control (C2) servers, allowing the group to deploy tailored malware families based on the target platform. The diverse capabilities of GravityRAT and HeavyLift allowed Cosmic Leopard to exfiltrate sensitive data, such as SMS messages, call logs, device information, and even email addresses.

Furthermore, the use of anti-analysis techniques and persistent execution methods enabled the malware to operate stealthily on compromised systems, evading detection in virtual environments. The group also employed cloud-based services like Cloudflare to mask the true location of their C2 servers, adding another layer of obfuscation to their operations.

To assist security researchers in identifying potential infections, Cisco Talos provided a set of Indicators of Compromise (IOCs) related to the malicious files, domains, and URLs associated with Cosmic Leopard’s malware tools. These IOCs, including hashes of malicious files and suspicious URLs, can aid in detecting and neutralizing threats posed by the group.

By analyzing these IOCs and cross-referencing them against network traffic and file repositories, security experts can bolster their defenses against Cosmic Leopard’s cyber espionage activities. The evolving nature of Operation Celestial Force underscores the importance of user education on cyber hygiene practices and the implementation of robust security measures to combat sophisticated threat actors like Cosmic Leopard.

Source link

Latest articles

OnlyFans Performers Forge Unexpected Alliance with CISOs to Secure Websites

Investigation Reveals Illicit Distribution Systems Exploiting Adult Content In a recent examination of digital traffic...

Cyber Briefing – July 17, 2026 – CyberMaterial

Cybersecurity: A Rising Threat Landscape and Corporate Responses In recent times, the cybersecurity landscape has...

US Cybersecurity Agency Exposes Confidential Information

CISA Recognized for Swift Action and Transparency in Security Incident By Mathew J. Schwartz July 17,...

New Starland RAT Exfiltrates Browser Credentials and Scans for More Than 40 Crypto Wallets

Emerging Threat: UAT-11795 and the Starland RAT Campaign In a concerning development within the cybersecurity...

More like this

OnlyFans Performers Forge Unexpected Alliance with CISOs to Secure Websites

Investigation Reveals Illicit Distribution Systems Exploiting Adult Content In a recent examination of digital traffic...

Cyber Briefing – July 17, 2026 – CyberMaterial

Cybersecurity: A Rising Threat Landscape and Corporate Responses In recent times, the cybersecurity landscape has...

US Cybersecurity Agency Exposes Confidential Information

CISA Recognized for Swift Action and Transparency in Security Incident By Mathew J. Schwartz July 17,...