A silent and dangerous cyberattack has recently hit one of Russia’s most important industries — its aerospace and defense sector. Using a secret digital spy tool called EAGLET, unknown hackers are believed to have stolen sensitive information from high-level targets inside the country. The campaign, now known as Operation CargoTalon, is causing serious concern due to its advanced tactics and hidden techniques.
The hackers targeted a major Russian aircraft company with a fake cargo document that secretly delivered malware. Once opened, the file allowed attackers to spy on the computer and potentially steal files or take control — all without the user’s knowledge.
Fake Cargo Documents Used to Trick Aerospace Staff
The attack focused on employees of Voronezh Aircraft Production Association (VASO) — a top aircraft builder in Russia. The hackers sent emails pretending to be about cargo shipments. These messages included товарно-транспортная накладная (TTN) files, which are official documents used in Russian transport systems. This made the emails look very real and convincing.
Inside these emails was a ZIP file. When opened, it showed a shortcut file (.LNK) that pretended to open an Excel document. But in the background, it launched a PowerShell command that installed the EAGLET malware on the victim’s computer. The Excel file was just a decoy and mentioned a real Russian company called Obltransterminal, which had been sanctioned by the U.S. in early 2024. This clever trick helped to make the attack seem even more believable.
EAGLET Malware: A Digital Spy Hiding in Plain Sight
Once installed, EAGLET quietly collects details about the infected computer. It then tries to connect to a command-and-control server using the IP address 185.225.17[.]104. From there, it waits for new instructions from the hackers. These commands could tell it to download files, upload stolen data, or give full control of the computer to the attackers.
Although the server is currently offline, security experts explain that the attackers designed EAGLET to act like a hidden doorway for other dangerous tools. It allows hackers to easily install more spyware later without being detected. The malware also shares similarities with another known backdoor called PhantomDL, which has similar spying features and may come from the same group.
💻 AI Turns Rogue—LazyHug Malware Learns Like ChatGPT, Steals Data Silently
Military Sector Also Targeted; Links to Other Hackers Found
Investigators discovered that attackers used EAGLET not only against VASO but also in other operations targeting Russia’s military. These attacks match the patterns of another hacker group called Head Mare, which has a history of spying on Russian government and military networks. The file names and technical style used in Operation CargoTalon are very similar to previous attacks from this group.
In a separate operation, a different hacking team named UAC-0184 (Hive0156) launched a fresh wave of cyberattacks targeting Ukrainian systems. Their weapon of choice is Remcos RAT, a remote access tool that allows attackers to spy on and control infected machines. The group used shortcut and PowerShell files that downloaded Hijack Loader malware, which then launched the Remcos RAT tool.
Some of these fake files included Ukrainian military-themed decoys, suggesting that these hackers are focusing heavily on defense targets and may soon expand their reach.
