Actors with connections to Pakistan have been implicated in a persistent malware operation named Operation Celestial Force, active since at least 2018.
This ongoing activity involves the deployment of Android malware called GravityRAT and a Windows-based malware loader dubbed HeavyLift, both managed through an additional tool known as GravityAdmin, according to Cisco Talos.
Cybersecurity researchers have attributed the incursions to an adversary they track under the alias Cosmic Leopard (also known as SpaceCobra), noting tactical similarities with Transparent Tribe.
“Operation Celestial Force has been operational since at least 2018 and remains active — increasingly leveraging an expanding and evolving suite of malware — indicating its significant success in targeting users in the Indian subcontinent,” security analysts Asheer Malhotra and Vitor Ventura detailed in a technical report shared with The Hacker News.
GravityRAT initially surfaced in 2018 as Windows malware targeting Indian entities through spear-phishing emails, boasting a constantly evolving feature set to extract sensitive information from compromised systems. Since then, the malware has been adapted for Android and macOS, transforming it into a versatile multi-platform tool.
Subsequent investigations by Meta and ESET last year uncovered the ongoing use of the Android variant of GravityRAT to target military personnel in India and within the Pakistan Air Force, camouflaging it as cloud storage, entertainment, and chat applications.
Cisco Talos’ research unites these varied but interconnected activities under a common framework, driven by evidence pointing to the threat actor’s use of GravityAdmin to coordinate these attacks.
Cosmic Leopard has primarily utilized spear-phishing and social engineering tactics to build trust with potential targets before directing them to a malicious website that prompts them to download a seemingly benign program, which then deploys GravityRAT or HeavyLift depending on the operating system.
GravityRAT has been in use as early as 2016. GravityAdmin, a binary used to control infected systems, has been in operation since at least August 2021, establishing connections with the command-and-control (C2) servers for GravityRAT and HeavyLift.
“GravityAdmin includes multiple inbuilt User Interfaces (UIs) corresponding to specific codenamed campaigns operated by malicious actors,” the researchers noted. “For instance, ‘FOXTROT,’ ‘CLOUDINFINITY,’ and ‘CHATICO’ are names for all Android-based GravityRAT infections, while ‘CRAFTWITHME,’ ‘SEXYBER,’ and ‘CVSCOUT’ designate attacks deploying HeavyLift.”
A newly identified component of the threat actor’s arsenal is HeavyLift, an Electron-based malware loader distributed via malicious installers targeting the Windows operating system. It also bears resemblances to GravityRAT’s Electron versions previously documented by Kaspersky in 2020.
Once activated, the malware can collect and transmit system metadata to a hard-coded C2 server and periodically check the server for new payloads to execute. Furthermore, it is designed to perform similar functions on macOS.
“This multi-year operation has continuously targeted Indian entities and individuals likely associated with defense, government, and technology sectors,” the researchers concluded.
