Overview:
Operation CargoTalon is a cyber-espionage campaign identified in July 2025, targeting Russia’s aerospace and defense sectors. Unlike a conventional military operation, CargoTalon is a digital attack aimed at stealthily infiltrating critical Russian defense organizations to gather sensitive information.
Detailed Notes:
Target and Sector:
- CargoTalon specifically targets the Voronezh Aircraft Production Association (VASO), which is a major player in Russia’s aerospace manufacturing industry.
- The focus on aerospace and defense is consistent with the strategic importance of these sectors in national security.
Infection Method:
- The attack vector primarily involves spear-phishing emails — these are carefully crafted phishing messages aimed at select individuals within the targeted organizations to increase chances of success.
- The emails are disguised as legitimate logistics documents, specifically Russian transport consignment notes or “Товарно-транспортная накладная” (TTN). This disguise leverages documents that logistics staff would normally expect and trust.
Malicious Payload:
- Attached documents appear as zipped TTN files but actually contain DLL (dynamic link library) files which are malware implants named EAGLET.
- This technique uses file format deception; a zipped archive looks like normal paperwork but carries executables underneath.
Malware Execution Chain:
- The attack uses a malicious LNK shortcut file (a type of Windows shortcut) to automatically run the malicious DLL without user suspicion.
- Running the DLL implant triggers a decoy document to open, simulating legitimate file behavior to evade detection by the user and security tools.
- The malware scans typical user directories to quietly establish persistence and deploy additional payloads or tools.
Attributed Threat Actor:
- Intelligence attributes this campaign to a threat group designated UNG0901 (also known as “Head Mare”), which is known for targeting Russian defense interests.
- This group has a history of using similar malware and spear-phishing tactics, suggesting a coordinated and persistent espionage effort.
Purpose and Impact:
- CargoTalon is solely a cyber espionage operation, not involving any physical military actions.
- Its objective is to exfiltrate sensitive data — likely intellectual property, design schematics, or security details — from Russian aerospace defense entities.
- The operation reflects the increasing use of cyberattacks as a strategic tool in intelligence and defense competition.
Summary:
Operation CargoTalon is a sophisticated and targeted cyberattack campaign using deceptive logistical emails and advanced malware implants (EAGLET) to infiltrate Russia’s aerospace defense industry via spear-phishing. It demonstrates the critical intersection of cybersecurity and national defense in modern geopolitical conflicts.
Indicators of Compromise
Hashes (SHA256):
9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb46642813b301da721c34ca1aca29ce2e4c7d71ae580b519a3332a4ba71870b6a58ef67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036aed291c023c3514fb97b4e08e291e03f52de91a2a8d311491b4ab8299db0aa0ffaed55ed0102b1b2e3d853e8633abecbb9cec6a5f41c630097d8eaeefafba060
C2 Domains:
interestedthingsforkissinggirlwithloves[.]duckdns[.]orgfreebirdkissingonmylipswithnicefeelings[.]duckdns[.]org
Notable File/Artifact Names:
Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip(malicious ZIP/DLL masquerade)- LNK files with similar names to above, used to initiate the DLL payload.
Process/Behavioral IOCs:
- PowerShell executions that extract and run the DLL using
rundll32.exe. - Creation of decoy
.xlsfiles in%TEMP%after infection.
