Russian Aviation Phishing: Drone Simulators Steal Sensitive Data
HeartlessSoul phishing campaign targets Russian aviation: drone simulators and Starlink tools steal geospatial data. Here is what you need to know.
Since September 2025, the cyber-espionage group HeartlessSoul has been targeting Russian government agencies and aviation companies with specialized phishing campaigns. The current risk involves the tactical adaptation of attackers who, as revealed this week, are using conflict-themed lures to steal strategic geospatial data. The evolution of these lures suggests a specific military target.
- The HeartlessSoul group has been active since September 2025 against Russian government agencies and aviation companies.
- Kaspersky published a report this week linking HeartlessSoul to the well-known Goffee hacking cluster.
- The malware distributed on SourceForge steals GIS data, Telegram credentials, and device location.
- Lures include fake FPV drone simulators and tools for bypassing Starlink restrictions.
- The primary goal is the exfiltration of geospatial information and confidential data from victims.
The context of Operation HeartlessSoul
Kaspersky released a report this week on the cyber-espionage campaign orchestrated by the HeartlessSoul group. The cluster's activity, active since at least September 2025, focuses on Russian government agencies and companies in the aviation sector.
The attack infrastructure utilizes domains created to mimic aviation-related resources, through which malware disguised as legitimate software is distributed. Attackers also exploited the legitimate SourceForge platform to spread a fake version of GearUP containing spyware.
Access tactics and spyware malware
Initial access occurs primarily through phishing emails containing infected archives and malicious advertising campaigns mimicking aviation software websites. Once the malicious payload is executed, the malware initiates extensive data collection from the compromised device.
The malicious software is designed to steal GIS (Geographic Information System) data, capture screenshots, record keystrokes, and harvest browser data and Telegram credentials. It also determines the exact location of the infected device, a detail that elevates the risk for operators who are physically in the field.
The evolution of lures and the link to the conflict
According to independent analyst Oleg Shakirov, the malware is also distributed via files disguised as FPV drone simulators and tools for bypassing Starlink restrictions.
"If confirmed, that could suggest the attacks were aimed not just at aviation companies but at drone operators, communications specialists or other military personnel", Shakirov explained.
The use of such specific lures indicates a targeted adaptation to the context of the Russia-Ukraine conflict. This suggests that attackers are attempting to target military operators or communications specialists active in operation areas, exploiting the need for operational tools that are currently in high demand.
"Analysis of the HeartlessSoul group's activity shows a targeted interest by the attackers in enterprises within Russian industry with the aim of obtaining confidential data, particularly geospatial information", Kaspersky researchers emphasize.
Kaspersky has also identified links between HeartlessSoul and the Goffee hacking group, indicating possible coordinated or related operations. However, the temporal correlation with attacks on the Russian Federal Air Transport Agency (Rosaviatsia) remains uncertain, as no definitive date is known and it is not possible to establish if they are part of the same campaign.
What to do now
Faced with targeted phishing campaigns that exploit current thematic lures, exposed organizations must adopt specific countermeasures to mitigate the risk of sensitive data exfiltration.
- Inspect network logs to detect outbound traffic to suspicious aviation-related domains or unauthorized SourceForge domains in order to identify possible ongoing infections.
- Implement rigorous network segmentation for devices handling GIS data and Telegram communications, limiting the exposure surface in the event of a compromise.
- Isolate systems that have recently downloaded executables related to FPV simulators or tools for managing Starlink connections, subjecting them to thorough forensic analysis.
- Restrict the use of compressed archives received via email and block the execution of files downloaded from open-source hosting platforms without prior security verification.
Frequently Asked Questions
- What is the HeartlessSoul group?
- It is a cyber-espionage group active since at least September 2025 that targets Russian government agencies and aviation companies to steal confidential data, particularly geospatial information.
- How is HeartlessSoul malware distributed?
- The malware is distributed via phishing emails with infected archives, fake websites mimicking aviation software, and modified versions of legitimate programs on platforms like SourceForge.
- What data does this spyware steal?
- The malicious software exfiltrates GIS data, screenshots, keystrokes, browser data, Telegram credentials, and the geographical location of the infected device.
The adaptation of lures to the theater of operations demonstrates how cyber espionage evolves to exploit the immediate needs of operators in the field. The real risk is that the search for operational tools, such as FPV simulators or systems to bypass network restrictions, becomes the direct vector for the compromise of strategic assets and sensitive information.
Information has been verified against the cited sources and was up to date at the time of publication.
Sources
- https://en.wikipedia.org/wiki/KGB
- https://it.wikipedia.org/wiki/Slu%C5%BEba_vne%C5%A1nej_razvedki
- https://www.ictsecuritymagazine.com/articoli/lo-spionaggio-cibernetico-eventi-scenari-protagonisti-finalita/
- https://www.ictsecuritymagazine.com/articoli/operazioni-di-cyber-spionaggio-nel-conflitto-tra-russia-e-ucraina/
- https://it.wikipedia.org/wiki/Glavnoe_razvedyvatel'noe_upravlenie