Operation Cargotalon: Targeting Russian Aerospace Defense Using Eaglet Implant
Essential information
- Published
- 24/07/2025 05:49
- Modified
- 24/07/2025 09:04
- Tags
- 2025-07-24 aerospace defense dll implant eaglet espionage head mare logistics russia spear-phishing
- Related entities
- 16 observables, 1 intrusion sets (apt), 1 malware, 3 others
Description
UNG0901, a threat group targeting Russian aerospace and defense sectors, has been discovered conducting a spear-phishing campaign against the Voronezh Aircraft Production Association. The operation, dubbed 'CargoTalon', utilizes a custom DLL implant called EAGLET, which is disguised as a ZIP file containing transport documents. The infection chain involves a malicious LNK file that executes the EAGLET implant, which then establishes communication with a command-and-control server for remote access and data exfiltration. The campaign employs sophisticated tactics, including decoy documents related to Russian logistics operations, and shows similarities with another threat group known as Head Mare. The attackers' motivation appears to be espionage against Russian governmental and non-governmental entities.