Recent discoveries by Cisco Talos have unveiled a persistent malware campaign with roots tied to Pakistan, known as Operation Celestial Force. What’s particularly concerning is the evolution of this campaign, targeting not just Windows but also Android and macOS systems, indicating a strategic shift by threat actors.
Since its inception in 2018, Operation Celestial Force has been employing a variety of malicious tools, including GravityRAT for Android, HeavyLift for Windows, and the overseeing GravityAdmin. These components, orchestrated by the group dubbed Cosmic Leopard, showcase a level of sophistication that demands attention.
GravityRAT, initially identified in 2018, was primarily a Windows-focused malware, honed to infiltrate Indian organizations through spear-phishing tactics. However, its adaptability has been alarming; it has since expanded its reach to Android and macOS platforms, making it a versatile and potent threat.
Last year, Meta and ESET revealed GravityRAT’s continued usage in targeting military personnel in India and Pakistan Air Force members. Its camouflage as legitimate applications, such as cloud storage or entertainment apps, adds another layer of deception to its malicious intent.
What Cisco Talos’ report brings to light is the cohesive strategy behind these seemingly disparate attacks. Cosmic Leopard’s utilization of GravityAdmin serves as the linchpin, enabling seamless coordination between GravityRAT and HeavyLift across various campaigns.
The modus operandi of Cosmic Leopard involves leveraging spear-phishing and social engineering techniques to lure unsuspecting victims. Once trust is established, victims are directed to download seemingly harmless programs, unwittingly installing GravityRAT or HeavyLift, depending on their operating system.
The sophistication doesn’t end there. GravityAdmin, a binary utilized by the threat actor, acts as a command center, facilitating communication between infected systems and the command-and-control servers of GravityRAT and HeavyLift. Each campaign is meticulously managed through specific user interfaces within GravityAdmin, tailored to different attack vectors.
A noteworthy addition to the arsenal is HeavyLift, a malware loader targeting Windows systems. Its deployment via malicious installers signifies a concerted effort to penetrate Windows environments. Interestingly, parallels can be drawn between HeavyLift and GravityRAT’s Electron-based versions, as previously documented by Kaspersky in 2020.
Once unleashed, HeavyLift exhibits a wide array of capabilities, from gathering system metadata to executing payloads fetched from command-and-control servers. Its cross-platform functionality, extending to macOS, underscores the adaptability and persistence of the threat actors behind Operation Celestial Force.
The implications of this multi-year operation are profound. Its sustained focus on Indian entities, particularly in defense, government, and technology sectors, raises concerns about the broader geopolitical landscape. As cyber threats continue to evolve, collaborative efforts between cybersecurity researchers and organizations become increasingly vital to thwart such malicious endeavors.
In conclusion, while the emergence of Operation Celestial Force underscores the evolving nature of cyber threats, it also serves as a reminder of the importance of proactive cybersecurity measures. By staying informed and remaining vigilant, we can collectively fortify our digital defenses against emerging threats, ensuring a safer online environment for all.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Google Warns for Pixel Firmware Zero-Day Vulnerability: CVE-2024-32896
Pingback: Google's Privacy Sandbox Faces Accusations of User Tracking