Operation Celestial Force: Ongoing Malware Campaign Linked to Pakistani Threat Actors
A persistent malware campaign known as Operation Celestial Force has been traced back to actors linked to Pakistan, with activities dating as far back as 2018. Cisco Talos has identified the campaign’s reliance on two primary malware tools: GravityRAT, targeting Android devices, and a Windows malware loader known as HeavyLift, alongside a management utility called GravityAdmin.
Cisco Talos has attributed these cyber operations to a group they monitor under the alias Cosmic Leopard, which shows tactical similarities to another adversary called Transparent Tribe. Researchers Asheer Malhotra and Vitor Ventura noted in their report that the sustained activity of Operation Celestial Force demonstrates a high rate of success against targets in the Indian subcontinent, employing an expanding suite of malware to achieve its objectives.
Initially surfacing in 2018, GravityRAT began as a Windows-based malware aimed at Indian entities via spear-phishing attacks, evolving over time to operate on Android and macOS platforms. This development signifies a shift toward a multi-platform attack strategy. Last year, cybersecurity investigations from Meta and ESET revealed ongoing usage of GravityRAT’s Android variant to target personnel in the Indian military and within the Pakistan Air Force, camouflaged as legitimate cloud storage and messaging applications.
Cisco Talos’ findings further unify various related cyber operations, revealing the strategic use of GravityAdmin to orchestrate these attacks effectively. The Cosmic Leopard group commonly employs spear-phishing and social engineering tactics, often establishing trust to direct targets to download malicious software disguised as benign programs, which install either GravityRAT or HeavyLift based on the system in use.
GravityRAT’s deployment is believed to have commenced as early as 2016, while GravityAdmin has been actively commandeering infected systems since August 2021, facilitating connections to command-and-control servers for GravityRAT and HeavyLift. Researchers highlighted that GravityAdmin contains multiple user interfaces tailored for distinct code-named campaigns. Notable examples of these campaigns include ‘FOXTROT’ and ‘CLOUDINFINITY’ for Android infections, alongside ‘CRAFTWITHME’ and ‘SEXYBER’ for those utilizing HeavyLift.
The recent incorporation of HeavyLift, an Electron-based malware loader, further complicates the threat landscape. Distributed via malicious installers targeting Windows, it aligns with earlier findings from Kaspersky concerning GravityRAT’s Electron variants. Once activated, HeavyLift can collect system metadata to relay back to a hard-coded command-and-control server and is capable of performing similar tasks on macOS systems as well.
Overall, this extensive, multi-year campaign has consistently focused on targeting Indian entities and individuals, particularly those in defense, government, and technology sectors. The implications of such cyber activities stress the importance of robust cybersecurity measures for organizations to mitigate risks associated with state-sponsored threat actors, urging business owners to remain vigilant in their security practices.
While the specific MITRE ATT&CK tactics applied in these operations could include initial access via spear phishing (T1071), persistence through legitimate application use (T1573), and privilege escalation mechanisms (T1068), the evolving nature of the threats necessitates continual monitoring and adaptation of defensive strategies within the cybersecurity landscape.
