Operation CargoTalon Targets Russian Aerospace & Defense to Deploy EAGLET Implant

SEQRITE Labs’ APT-Team has uncovered a sophisticated spear-phishing campaign dubbed Operation CargoTalon, targeting employees at Russia’s Voronezh Aircraft Production Association (VASO), a key aerospace entity.

The operation leverages malicious attachments disguised as товарно-транспортная накладная (TTN) logistics documents, critical for Russian supply chains.

Discovered on June 27 via VirusTotal hunting, the campaign employs a malicious EML file named backup-message-10.2.2.20_9045-800282.eml, sent from a spoofed Transport and Logistics Centre address.

This email urges recipients to prepare for cargo delivery, attaching a DLL file masquerading as a ZIP archive titled Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip.

Accompanying it is a malicious LNK shortcut file with the same name, which orchestrates the infection by invoking PowerShell to locate and execute the DLL via rundll32.exe, while spawning a decoy XLS file to evade suspicion.

Infection Chain Unveiled

The LNK script recursively searches %USERPROFILE% and %TEMP% directories for the implant, extracts an embedded XLS overlay of 59,904 bytes starting at offset 296,960, and saves it as ранспортная_накладная_ТТН_№391-44_от_26.06.2025.xls in %TEMP%.

This decoy mimics an Equipment Interchange Report (EIR) from sanctioned entity Obltransterminal LLC, featuring container inspection details, damage codes (e.g., Трещина for cracks, Сквозная коррозия for corrosion), and schematic diagrams, aligning with Russian military-logistics standards under U.S. OFAC sanctions via Executive Order 14024.

The core payload, dubbed EAGLET, is a C++-based DLL implant with espionage-focused features.

Upon execution, it generates a unique GUID for victim identification, enumerates computer name, hostname, and DNS domain, and creates a C:ProgramDataMicrosoftAppStore directory for persistence.

EAGLET Implant Capabilities

It spawns threads using CreateThread to establish C2 communication via WinHttpOpen and WinHttpConnect APIs, masquerading under user-agent “MicrosoftAppStore/2001.0” to connect to hardcoded server 185.225.17.104 on port 80.

GET requests poll for commands with paths like /poll?id=&hostname=&domain=, while responses trigger functionalities such as remote shell execution (via “cmd:” keyword), file downloads to the staging directory, and exfiltration via POST to /result with base64-encoded results (e.g., id=&result=).

Infrastructure analysis reveals the C2 in Romania under ASN 39798 (MivoCloud SRL), with passive DNS ties to recycled domains linked to TA505, though no direct correlation exists beyond infrastructure reuse.

Hunting uncovered similar campaigns targeting Russian military recruitment via decoys like Договор_РН83_изменения.zip, connecting to C2 188.127.254.44 under ASN 56694.

Overlaps with Head Mare (tracked by Kaspersky) include tooling similarities EAGLET mirrors PhantomDL’s shell, download, and upload features file-naming patterns (e.g., Contract_RN83_Changes akin to Contract_kh02_523), and motivation targeting Russian entities.

Thus, SEQRITE attributes Operation CargoTalon to UNG0901, a cluster sharing resources with Head Mare for espionage against aerospace and defense sectors. SEQRITE’s AgentCiR detects it as trojan.49644.SL.

This campaign exemplifies advanced persistence through LOLBins, decoy embedding, and modular C2 interactions, highlighting escalating threats to Russian critical infrastructure.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now