A cyber espionage campaign known as Operation Celestial Force, orchestrated by a Pakistani threat actor group dubbed Cosmic Leopard, has been targeting Indian entities over multiple years through the deployment of sophisticated malware tools and social engineering tactics.
The group first emerged in 2018, leveraging the GravityRAT malware to infiltrate Windows systems before eventually evolving to target Android devices as well. The initial infection vectors included malicious documents and social engineering techniques, with spearphishing emails being a common method used to deceive victims into downloading the malware.
In 2019, Cosmic Leopard expanded their arsenal by introducing HeavyLift, a malware loader that was distributed through fake installers. Each operation within Operation Celestial Force was intricately managed through custom “GravityAdmin” panels, demonstrating the group’s commitment to orchestrating targeted cyber attacks with precision.
The utilization of GravityRAT, a remote-access Trojan designed for both Windows and Android platforms, served as a key component of the group’s operations. This malware, alongside HeavyLift, was controlled through the GravityAdmin interface, a sophisticated framework that enabled the management of multiple malicious campaigns simultaneously.
The GravityAdmin panel facilitated communication with campaign-specific command-and-control (C2) servers, allowing the group to deploy tailored malware families based on the target platform. The diverse capabilities of GravityRAT and HeavyLift allowed Cosmic Leopard to exfiltrate sensitive data, such as SMS messages, call logs, device information, and even email addresses.
Furthermore, the use of anti-analysis techniques and persistent execution methods enabled the malware to operate stealthily on compromised systems, evading detection in virtual environments. The group also employed cloud-based services like Cloudflare to mask the true location of their C2 servers, adding another layer of obfuscation to their operations.
To assist security researchers in identifying potential infections, Cisco Talos provided a set of Indicators of Compromise (IOCs) related to the malicious files, domains, and URLs associated with Cosmic Leopard’s malware tools. These IOCs, including hashes of malicious files and suspicious URLs, can aid in detecting and neutralizing threats posed by the group.
By analyzing these IOCs and cross-referencing them against network traffic and file repositories, security experts can bolster their defenses against Cosmic Leopard’s cyber espionage activities. The evolving nature of Operation Celestial Force underscores the importance of user education on cyber hygiene practices and the implementation of robust security measures to combat sophisticated threat actors like Cosmic Leopard.