🚀 Operation CargoTalon: Cyber‑Espionage Targets Russian Aerospace with the EAGLET Backdoor

Published on: July 26, 2025

By: CyberDudeBivash Editorial Team

Category: Cyber Espionage | Threat Intelligence

🕵️ Campaign Overview

A sophisticated espionage operation dubbed Operation CargoTalon has emerged, targeting Russia’s aerospace sector—including employees of the Voronezh Aircraft Production Association (VASO)—using a stealthy backdoor known as EAGLET. Identified in late June 2025 by Seqrite Labs, this campaign is attributed to a threat cluster tracked as UNG0901.Deepwatch+6Cyber Security News+6The Hacker News+6

🎯 Attack Chain Breakdown

1. 🎣 Spear‑Phishing with Logistics Lures

The operation begins with well-crafted emails referencing Transport Consignment Note (TTN) documents—vital to Russian logistics. The payload arrives as a ZIP archive containing a malicious .LNK file, masquerading as a delivery document.Reddit+5Cyber Security News+5The Hacker News+5

2. 🧪 Multi‑Stage Execution

When opened, the .LNK launches PowerShell that:

• Displays a decoy Microsoft Excel document
• Silently deploys the EAGLET implant DLL on the victim’s system Kaspersky ICS CERT+2Nubetia+2The Hacker News+2Cyber Security News+1Nubetia+1

3. 👾 EAGLET Backdoor Functionality

EAGLET establishes persistence while masquerading as legitimate traffic using the user-agent string MicrosoftAppStore/2001.0. It contacts a hard-coded C2 server (185.225.17[.]104), periodically polling via HTTP for instructions. It supports:

• Remote shell access
• File upload/download
• Command execution with output exfiltration via HTTP POST to /result endpoints LinkedIn+13Cyber Security News+13The Hacker News+13The Hacker News+1Nubetia+1

4. 🌍 Linked Infrastructure

Analysis of related implants reveals overlapping characteristics with campaigns using implant variants tied to “Head Mare” threat activity. Similar targeting and infrastructure reuse reinforce the alignment between these APT clusters. EAGLET shares code traits with PhantomDL, a Go‑based backdoor featuring file and shell functionality.Seqrite+3Cyber Security News+3Nubetia+3

⚠️ Risk Highlights

• Aerospace IP & Trade Secrets: Successful infiltration poses the risk of leaks involving sensitive engineering designs and defense technology.
• High Stealth Factor: The LNK‑based delivery, Excel decoys, and benign HTTP traffic help evade standard detection tools.
• Deep Inside Access: UNG0901 is an advanced player using reusable infrastructure across campaigns to maintain long-term espionage capabilities.

🛡️ Detection & Mitigation Strategies

✅ 1. Raise Awareness Around TTN/Logistics Phishing

Train employees to scrutinize shipment-themed emails, especially from unknown senders. ZIP files with unusual naming should raise suspicion.

✅ 2. Harden Windows LNK Behavior & PowerShell

• Block .LNK execution via default settings or AppLocker rules.
• Audit PowerShell executions launched from user download paths.

✅ 3. Monitor HTTP Traffic & Whitelist Agents

Flag HTTP traffic using suspicious user-agent strings such as MicrosoftAppStore/2001.0 to unfamiliar external domains. Lock down egress to unknown hosts.The Hacker News+2Cyber Security News+2Nubetia+2

✅ 4. Hunt for Backdoor Artifacts

Search for directories like MicrosoftApppStore (used by EAGLET) and monitor HTTP POSTs to suspicious endpoints.

✅ 5. Restrict Lateral Movement Potential

Isolate aerospace engineering networks behind firewalls and segmentation. Deploy network monitoring inside high-value segments.

✅ 6. Use Endpoint Protection & Threat Intelligence Feeds

Detect snapshot DLL installs, command-line activity from unknown processes, and reference IOC lists—including file hashes or C2 domains.

🔍 Broader Landscape & Implications

Operation CargoTalon aligns with a pattern of targeted campaigns orchestrated by Russia-aligned APT groups (e.g., Head Mare, UNG0901) aimed at aerospace and defense industries.Reddit+6Cyber Security News+6Nubetia+6LinkedInReddit+5Nubetia+5The Hacker News+5 Their ability to engineer domain-specific lures and drop advanced implants underscores the high stakes of cyber espionage in critical infrastructure.

📌 Key Takeaways

• What: CargoTalon delivers the EAGLET backdoor via spear-phishing with logistics-themed lures.
• Who: Targets VASO and related Russian aerospace entities; threats attributed to UNG0901 (with overlaps to Head Mare).
• Why it matters: The campaign targets sensitive aerospace trade secrets and demonstrates high operational stealth.
• Defense: Users should block LNK execution, monitor suspicious HTTP and user-agent traffic, and hunt for implant artifacts aggressively.

💬 Join the Conversation

• Have you detected unusual Office or LNK activity in aerospace environments?
• Do you log outbound HTTP sessions against unusual user-agent strings?

Share your insights in the comments or connect with us on Twitter: @CyberDudeBivash.

🔗 Stay Informed with CyberDudeBivash

For continuous tracking of espionage campaigns, malware innovations, and defense strategies in aerospace, subscribe to our Cyber Magazine: cyberdudebivash.com

Tags: #CargoTalon #EAGLETBackdoor #OperationCargoTalon #UNG0901 #CyberEspionage #AerospaceSecurity #RussiaAPT #ThreatIntel #CyberDudeBivash