Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
July 25, 2025
Operation CargoTalon targets Russia’s aerospace and defense sectors with EAGLET malware, using TTN documents to exfiltrate data.
SEQRITE Labs researchers uncovered a cyber-espionage campaign, dubbed Operation CargoTalon, targeting Russia’s aerospace and defense sectors, specifically Voronezh Aircraft Production Association (VASO), via malicious TTN documents.
“Товарно-транспортная накладная” (TTN) is a “goods and transport invoice” or “consignment note” used in Russia and other post-Soviet countries.
“Recently, on 27th of June, our team upon hunting malicious spear-phishing attachments, found a malicious email file, which surfaced on sources like VirusTotal, upon further hunting, we also found a malicious LNK file, which was responsible for execution of the malicious DLL-attachment whose file-type has been masquerading as ZIP-attachment.” reads the report published by SEQRITE Labs. “Upon looking into the email, we found the file Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip which translates to Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip is basically a DLL file and upon further hunting, we found another file which is a shortcut [LNK] file, having the same name. Then, we decided to look into the workings of these files.”
The attackers use spear-phishing emails containing disguised ZIP files with malicious LNK shortcuts and DLL implants named EAGLET. Upon triggering the these files, they execute commands and exfiltrate data. The campaign’s infection chain starts with phishing and ends with data theft, suggesting a well-structured and persistent threat operation.
The researchers attributed the campaign to a threat cluster tracked as UNG0901.
The EAGLET implant is a PE file that generates a unique GUID to identify the victim, collects system info, creates a hidden directory, and connects to a command-and-control server via HTTP using disguised requests. The malware supports remote shell access, file download, and data exfiltration. Commands from the C2 can execute shell commands or download additional payloads to the victim machine. The implant attempts persistent C2 communication and uses legitimate Windows APIs for network operations.
This campaign’s multi-stage attack uses social engineering, decoys, and advanced malware features to infiltrate, persist, and exfiltrate data from a critical Russian aerospace organization.
SEQRITE Labs uncovered similar campaigns targeting the Russian military using the EAGLET backdoor, showing overlaps with the threat cluster Head Mare. EAGLET shares functional parallels with PhantomDL, a Go-based backdoor featuring shell access and file transfer capabilities. Both campaigns also use similar naming schemes for phishing attachments, highlighting a possible connection or shared tactics between these threat actors targeting Russian entities.
Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that’s known to target Russian entities.
This includes the functional parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file download/upload feature, as well as the similarities in the naming scheme used for the phishing message attachments.
“UNG0901 or Unknown-Group-901 demonstrates a targeted cyber operation against Russia’s aerospace and defense sectors using spear-phishing emails and a custom EAGLET DLL implant for espionage and data exfiltration.” concludes the report. “UNG0901 also overlaps with Head Mare which shows multiple similarities such as decoy-nomenclature and much more.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Operation CargoTalon)
