Threat actors with ties to Pakistan have been linked to a long-running malware campaign known as Operation Celestial Force, which has been active since at least 2018. This campaign employs an Android malware called GravityRAT and a Windows-based malware loader named HeavyLift. These tools are administered using another standalone tool called GravityAdmin. The cybersecurity firm Cisco Talos attributes the operation to an adversary it tracks under the name Cosmic Leopard, also known as SpaceCobra, which shows tactical similarities with Transparent Tribe.
Operation Celestial Force continues to evolve and expand its malware suite, indicating its high success rate in targeting users in the Indian subcontinent. GravityRAT first emerged in 2018 as Windows malware targeting Indian entities through spear-phishing emails, with features designed to harvest sensitive information. Over time, GravityRAT has been adapted to work on Android and macOS, making it a multi-platform threat. Recent findings from Meta and ESET reveal that the Android version of GravityRAT is used to target military personnel in India and the Pakistan Air Force by disguising itself as cloud storage, entertainment, and chat apps.
Cisco Talos’ research consolidates various activities related to Operation Celestial Force, driven by evidence of the threat actor’s use of GravityAdmin. Cosmic Leopard primarily uses spear-phishing and social engineering to build trust with targets before directing them to download malicious programs that deploy GravityRAT or HeavyLift, depending on the operating system. GravityRAT has been in use since 2016, while GravityAdmin has been employed since at least August 2021 to manage infected systems and connect with C2 servers.
A new component in the threat actor’s toolkit is HeavyLift, an Electron-based malware loader targeting Windows systems, with similarities to GravityRAT’s Electron versions documented in 2020. Once launched, HeavyLift gathers and exports system metadata to a C2 server and periodically checks for new payloads. This operation continuously targets Indian entities and individuals, likely within defense, government, and related technology sectors, highlighting the persistent and evolving nature of the threat.
Reference:
