Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor

Threat Score:

3 articles

100.0% similarity

2 days ago

Activity Timeline

3 articles

Click to navigate

Jul 23

Jul 24

Jul 25

Oldest

Latest

Key Insights

Operation CargoTalon targets the Russian aerospace and defense sectors, specifically the Voronezh Aircraft Production Association (VASO), using a custom backdoor named EAGLET.

The attack employs spear-phishing emails with malicious attachments disguised as logistics documents (товарно-транспортная накладная - TTN), initiating a multi-stage infection chain.

EAGLET is a DLL backdoor that allows remote command execution and data exfiltration, indicating a high level of sophistication in the attack methodology.

Security teams in affected sectors should enhance email filtering, conduct user training on phishing awareness, and monitor for suspicious network activity related to EAGLET.

Threat actor UNG0901 is believed to be behind this campaign, with operations observed since late June 2025.

Threat Overview

A sophisticated cyber espionage campaign named Operation CargoTalon has targeted Russia's aerospace and defense sectors, particularly the Voronezh Aircraft Production Association (VASO), using spear-phishing tactics to deploy the EAGLET backdoor [1][2][3]. This backdoor enables remote command execution and data exfiltration, posing significant risks to sensitive information [2]. Organizations must implement robust email filtering, conduct phishing awareness training, and monitor for EAGLET-related activities to mitigate risks [1][3]. The threat actor behind this campaign is tracked as UNG0901, with attacks noted since late June 2025 [2].

Tactics, Techniques & Procedures (TTPs)

T1566.001

Spearphishing Attachment - Spear-phishing emails with malicious attachments disguised as logistics documents [1][3]

T1203

Exploitation for Client Execution - Execution of the EAGLET backdoor via a malicious LNK file [2][3]

T1059.001

Command and Scripting Interpreter - Use of DLL backdoor for remote command execution [2][3]

T1041

Exfiltration Over Command and Control Channel - Data exfiltration facilitated by the EAGLET implant [2][3]

T1071.001

Application Layer Protocol: Web Protocols - Potential use of web protocols for command and control communications [2]

Timeline of Events

2025-06-27

Operation CargoTalon first identified via VirusTotal [3]

2025-06

Initial spear-phishing emails sent to VASO employees [1][2]

2025-07-24

Public disclosure of Operation CargoTalon's details [2]

2025-07-25

Further analysis and implications discussed by Seqrite Labs [1]

Ongoing

Active monitoring and response required for EAGLET-related activities [1][2]

Generated 21 hours ago

Recent Analysis

AI analysis may contain inaccuracies

3 articles

Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor

The Hacker News • 1 day ago

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration. The activity, dubbed OperationCargoTalon, has been assigned to a threat cluster tracked asUNG0901(short for Unknown Group 901). "The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) docum

Score

100.0% similarity

Operation CargoTalon Attacking Russian Aerospace & Defense to Deploy EAGLET Implant

Cybersecurity News • 2 days ago

A sophisticated cyber espionage campaign dubbed “Operation CargoTalon” has emerged, specifically targeting Russia’s aerospace and defense sectors through carefully crafted spear-phishing attacks. The operation, which surfaced in late June 2025, employs a multi-stage infection chain designed to deploy the EAGLET implant, a custom-built DLL backdoor capable of remote command execution and data exfiltration. The campaign […]

Score

97.0% similarity

Operation CargoTalon Targets Russian Aerospace & Defense to Deploy EAGLET Implant

GB Hackers • 3 days ago

Operation CargoTalon Targets Russian Aerospace & Defense to Deploy EAGLET Implant SEQRITE Labs’ APT-Team has uncovered a sophisticated spear-phishing campaign dubbed Operation CargoTalon, targeting employees at Russia’s Voronezh Aircraft Production Association (VASO), a key aerospace entity. The operation leverages malicious attachments disguised as товарно-транспортная накладная (TTN) logistics documents, critical for Russian supply chains. Discovered on June 27 via VirusTotal hunting, the camp

Score

97.0% similarity

COUNTRIES

Russia

Ukraine

Germany

Romania

ATTACK TYPES

Phishing

Data Exfiltration

INDUSTRIES

Aerospace

Logistics

Nuclear

Education

RANSOMWARE

Zlader

Trojan

Sanctions

MITRE ATT&CK

Phishing

COMPANIES

IBM

Microsoft

Google

Cisco

Apple

PLATFORMS

Container

Windows

AWS

Azure

iOS

VULNERABILITIES

Zero-Day

DoS

DDoS

SECURITY VENDORS

Cloudflare

Kaspersky

APT GROUPS

Sea Turtle

TA505

Head Mare

Hezb

MALWARE

HijackLoader

Remcos

Dark

Lumma Stealer

IP ADDRESSES

188.127.254.44

IP ADDRESSES

188.127.254.44

CLUSTER INFORMATION

Cluster #1343

Created 2 days ago

Semantic Algorithm

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Save to Folder

Cluster Intelligence

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Activity Timeline

Key Insights

Threat Overview

Tactics, Techniques & Procedures (TTPs)

Timeline of Events

Related Articles

Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor

Operation CargoTalon Attacking Russian Aerospace & Defense to Deploy EAGLET Implant

Operation CargoTalon Targets Russian Aerospace & Defense to Deploy EAGLET Implant

Save to Folder

Cluster Intelligence