Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Operation Celestial Force (Trojan) – Malware

June 14, 2024
Reading Time: 4 mins read
in Malware, Malware Campaign
Operation Celestial Force (Trojan) – Malware

Operation Celestial Force

Type of Malware Used

Trojan

Country of Origin

Pakistan

Targeted Countries

India

Date of initial activity

2018

Associated Groups

Transparent Tribe
Cosmic Leopard

Motivation

Cyberwarfare
Espionage
Data Theft

Attack Vectors

Phishing

Type of information Stolen

Login Credentails
Communication Data

Targeted Systems

Windows
Android

Overview

Operation Celestial Force represents a sophisticated and enduring cyber espionage campaign that has been active since at least 2018. This operation, meticulously detailed by Cisco Talos, leverages a complex array of malware to target Indian entities, particularly those in defense, government, and technology sectors. At the heart of this operation are two primary malware families: GravityRAT and HeavyLift. GravityRAT, an Android-based remote access trojan (RAT), has been used to compromise mobile devices, while HeavyLift, a Windows-based malware loader, facilitates the deployment of additional malicious payloads. The campaign is orchestrated through a custom tool known as GravityAdmin, which enables the attackers to manage multiple concurrent operations, each with its own set of codenames and administrative panels. The campaign, attributed with high confidence to a Pakistani threat actor group named “Cosmic Leopard,” demonstrates a high level of sophistication and persistence. Cosmic Leopard’s tactics and techniques bear similarities to those of other Pakistani APT groups, such as Transparent Tribe, but are distinct enough to warrant separate classification. Over the years, Operation Celestial Force has evolved significantly, expanding from initial use of GravityRAT on Windows platforms to incorporating Android variants and the HeavyLift loader. This evolution reflects an adaptive strategy aimed at increasing the operation’s reach and effectiveness.

Targets

Public Administration Individuals

How they operate

The campaign typically begins with Initial Access, primarily through highly targeted spear-phishing attacks. These phishing emails often contain malicious attachments or links designed to exploit user trust. Once a recipient interacts with the malicious content, the attackers gain a foothold within the target environment. This method of infiltration underscores the campaign’s reliance on social engineering to bypass initial defenses and initiate the attack chain. Once inside the network, Operation Celestial Force employs various techniques for Execution and Persistence. The malware delivered through phishing emails usually requires user interaction, such as opening an attachment or clicking a link. Upon execution, the malware employs several strategies to maintain a persistent presence on the compromised system. Techniques such as Registry Run Keys or Startup Folder modifications ensure that the malware is reactivated upon system reboots, providing continuous access to the attackers. Additionally, the malware may leverage Obfuscated Files to evade detection by security solutions, making it harder for defenders to identify and neutralize the threat. The Privilege Escalation phase involves exploiting vulnerabilities to gain elevated permissions on the compromised systems. This often includes the exploitation of known software vulnerabilities or misconfigurations that allow the malware to escalate its privileges and access more sensitive areas of the network. Following privilege escalation, the campaign may involve Credential Dumping to harvest user credentials and other sensitive information, further facilitating lateral movement within the network. In the Discovery phase, the malware gathers detailed information about the target environment. This includes system configurations, network topology, and other critical data that informs the attackers’ next steps. Techniques such as System Information Discovery are used to map out the network and identify key systems and data sources. Lateral movement is achieved through methods like Remote File Copy, allowing the malware to propagate across the network and reach additional systems. This movement is often accompanied by Data Staging, where collected data is aggregated in a central location before being exfiltrated. The Exfiltration phase employs various techniques, such as Exfiltration Over Command and Control Channels, to transfer stolen data out of the network, often using encrypted channels to avoid detection. Throughout the campaign, Command and Control communications are maintained using Standard Application Layer Protocols like HTTP or HTTPS, which blend in with regular network traffic and further obscure the attackers’ activities. This sophisticated approach to command and control enables seamless interaction between the malware and its operators, ensuring that the campaign remains effective and elusive.

MITRE Tactics and Techniques

Initial Access: Phishing (T1566): The campaign employs spear-phishing emails with malicious attachments or links to gain initial access to target systems. Execution: User Execution (T1203): Malicious files or links in phishing emails require user interaction to execute, such as opening a malicious attachment or clicking on a harmful link. Persistence: Registry Run Keys / Startup Folder (T1547): The malware may create or modify registry keys to ensure persistence across system reboots. Privilege Escalation: Exploitation for Privilege Escalation (T1068): Exploits vulnerabilities to gain higher privileges on a compromised system. Defense Evasion: Obfuscated Files or Information (T1027): The use of obfuscation techniques to hide the malware’s presence and activities. Rootkit (T1014): Some variants may employ rootkit techniques to maintain stealth and avoid detection. Credential Access: Credential Dumping (T1003): Techniques to extract user credentials and other sensitive information from compromised systems. Discovery: System Information Discovery (T1082): The malware gathers information about the system environment and configuration to tailor its operations. Lateral Movement: Remote File Copy (T1105): Transferring files between systems to facilitate lateral movement and expand the scope of the attack. Collection: Data Staged (T1074): Staging collected data in a central location before exfiltration. Exfiltration: Exfiltration Over Command and Control Channel (T1041): Data is exfiltrated through the same channel used for command and control to avoid detection. Command and Control: Standard Application Layer Protocol (T1071): Using common protocols such as HTTP or HTTPS to communicate with command and control servers.

References

  • Operation Celestial Force employs mobile and desktop malware to target Indian entities
Tags: Cisco TalosCosmic LeopardGravityRATHeavyLiftIndiaMalwareOperation Celestial ForcePakistanPhishingRATRemote Access TrojanTransparent TribeTrojanWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial