Operation Celestial Force employs mobile and desktop malware to target Indian entities
June 14, 2024, 9:11 a.m.
Description
Cisco Talos is disclosing a new malware campaign called 'Operation Celestial Force' conducted by a Pakistani nexus of threat actors called 'Cosmic Leopard'. This multi-year operation has been targeting Indian entities and individuals since at least 2018, employing the use of GravityRAT (an Android and Windows malware) and HeavyLift (a Windows malware loader). The campaigns are administered by a tool called GravityAdmin, which manages multiple codenamed campaigns simultaneously. The operation utilizes spear phishing and social engineering to infect targets, continuously expanding its malware suite, indicating a high degree of success.
Tags
Date
- Created: June 14, 2024, 8:31 a.m.
- Published: June 14, 2024, 8:31 a.m.
- Modified: June 14, 2024, 9:11 a.m.
Indicators
- da3907cf75662c3401581a5140831f8b2520a4c3645257b3860c7db94295af88
- c00cedd6579e01187cd256736b8a506c168c6770776475e8327631df2181fae2
- 8d458fb59b6da20e1ba1658bb4a1f7dbb46d894530878e91b64d3c675d3d4516
- 8e9bcc00fc32ddc612bdc0f1465fc79b40fc9e2df1003d452885e7e10feab1ee
- 838fd5d269fa09ef4f7e9f586b6577a9f46123a0af551de02de78501d916236d
- 69414a0ca1de6b2ab7b504a507d35c859fc5a1b8e0b3cf0c6a8948b2f652cbe9
- 63a76ca25a5e1e1cf6f0ca8d32ce14980736195e4e2990682b3294b125d241cf
- 688c8e4522061bb9d82e4c3584f7ef8afc6f9e07e2374567755faad2a22e25b8
- 5695c1e5e4b381844a36d8281126eef73a9641a315f3fdd2eb475c9073c5f4da
- 380df073825aca1e2fdbea379431c2f4571a8c7d9369e207a31d2479fbc7be88
- 4ebdfa738ef74945f6165e337050889dfa0aad61115b738672bbeda648a59dab
- 36851d1da9b2f35da92d70d4c88ea1675f1059d68fafd3abb1099e075512b45e
- 12d98137cd1b0cf59ce2fafbfe3a9c3477a42dae840909adad5d4d9f05dd8ede
- 1382997d3a5bb9bdbb9d41bb84c916784591c7cdae68305c3177f327d8a63b71
- 04e216f4780b6292ccc836fa0481607c62abb244f6a2eedc21c4a822bcf6d79f
- 06b617aa8c38f916de8553ff6f572dcaa96e5c8941063c55b6c424289038c3a1
- https://zclouddrive.com/system/clouddrive/
- https://zclouddrive.com/downloads/CloudDrive_Setup_1.0.1.exe
- https://zclouddrive.com/system/546F9A.php
- https://www.sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip
- https://www.craftwithme.uk/cwmb/d26873c6.php
- https://www.craftwithme.uk/cwmb/craftwithme/strong_client.php
- https://www.craftwithme.uk/cwmb/craftwithme/
- https://ux.androidwebkit.com/kangaroo/8a99d28c.php
- https://tl37.officelibraries.com/resauth.php/
- https://tl37.officelibraries.com/opex/13942BA7.php
- https://tl37.officelibraries.com/Sier/resauth.php
- https://tl37.officelibraries.com/MicrosoftUpdates/741bbfe6.php
- https://tl37.officelibraries.com/MsWordUpdates/c47d1870.php
- https://sni1.androidmetricsasia.com/voilet/8a99d28c.php
- https://sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip
- https://sdk2.sdklibraries.com/golf/c6cf642b.php
- https://moon.playstoreapi.net/indigo/8a99d28c.php
- https://library.androidwebkit.com/kangaroo/8a99d28c.php
- https://jupiter.playstoreapi.net/indigo/8a99d28c.php
- https://jupiter.playstoreapi.net/RB/e7a18a38.php
- https://jun.javacdnlib.com/Quebec/5be977ac.php
- https://jre.jdklibraries.com/hotriculture/671e00eb.php
- https://download.webbucket.co.uk/webbucket/strong_client.php
- https://download.webbucket.co.uk/webbucket/
- https://download.webbucket.co.uk/A0B74607.php
- https://download.teraspace.co.in/teraspace/
- https://download.teraspace.co.in/78181D14.php
- https://download.sexyber.net/sexyber/sexyberC.php
- https://download.sexyber.net/0fb1e3a0.php
- https://download.rockamore.co.uk/m2c/m_client.php
- https://download.cvscout.uk/cvscout/cvstyler_client.php
- https://download.cvscout.uk/cvscout/
- https://download.cvscout.uk/c9a5e83c.php
- https://dl01.windowsupdatecloud.com/opex/7ab24931.php
- https://dl01.mozillasecurity.com/resauth.php/
- https://dl01.mozillasecurity.com/Sier/resauth.php
- https://dl01.mozillasecurity.com/MicrosoftUpdates/6efbb147.php
- https://dl01.mozillasecurity.com/
- https://dev.androidadbserver.com/jurassic/6c67d428.php
- https://cloudieapp.net/cloudie.zip
- https://api1.androidsdkstream.com/foxtrot/61c10953.php
- https://api1.androidsdkstream.com/foxtrot/
- https://adb.androidadbserver.com/jurassic/6c67d428.php
- www.sexyber.net
- www.craftwithme.uk
- http://zclouddrive.com/system/clouddrive/
- http://zclouddrive.com/system/546F9A.php
- http://zclouddrive.com/downloads/CloudDrive_Setup_1.0.1.exe
- http://www.sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip
- http://www.craftwithme.uk/cwmb/d26873c6.php
- http://www.craftwithme.uk/cwmb/craftwithme/
- http://www.craftwithme.uk/cwmb/craftwithme/strong_client.php
- http://ux.androidwebkit.com/kangaroo/8a99d28c.php
- http://tl37.officelibraries.com/resauth.php/
- http://tl37.officelibraries.com/opex/13942BA7.php
- http://tl37.officelibraries.com/Sier/resauth.php
- http://tl37.officelibraries.com/MsWordUpdates/c47d1870.php
- http://sni1.androidmetricsasia.com/voilet/8a99d28c.php
- http://tl37.officelibraries.com/MicrosoftUpdates/741bbfe6.php
- http://sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip
- http://sdk2.sdklibraries.com/golf/c6cf642b.php
- http://moon.playstoreapi.net/indigo/8a99d28c.php
- http://library.androidwebkit.com/kangaroo/8a99d28c.php
- http://jupiter.playstoreapi.net/indigo/8a99d28c.php
- http://jupiter.playstoreapi.net/RB/e7a18a38.php
- http://jun.javacdnlib.com/Quebec/5be977ac.php
- http://jre.jdklibraries.com/hotriculture/671e00eb.php
- http://download.webbucket.co.uk/webbucket/strong_client.php
- http://download.webbucket.co.uk/webbucket/
- http://download.teraspace.co.in/teraspace/
- http://download.webbucket.co.uk/A0B74607.php
- http://download.teraspace.co.in/78181D14.php
- http://download.sexyber.net/0fb1e3a0.php
- http://download.sexyber.net/sexyber/sexyberC.php
- http://download.rockamore.co.uk/m2c/m_client.php
- http://download.cvscout.uk/cvscout/
- http://download.cvscout.uk/cvscout/cvstyler_client.php
- http://download.cvscout.uk/c9a5e83c.php
- http://dl01.mozillasecurity.com/resauth.php/
- http://dl01.windowsupdatecloud.com/opex/7ab24931.php
- http://dl01.mozillasecurity.com/Sier/resauth.php
- http://dl01.mozillasecurity.com/MicrosoftUpdates/6efbb147.php
- http://dl01.mozillasecurity.com/
- http://dev.androidadbserver.com/jurassic/6c67d428.php
- http://cloudieapp.net/cloudie.zip
- http://api1.androidsdkstream.com/foxtrot/61c10953.php
- http://api1.androidsdkstream.com/foxtrot//DataX/
- http://api1.androidsdkstream.com/foxtrot/
- http://adb.androidadbserver.com/jurassic/6c67d428.php
- ux.androidwebkit.com
- tl37.officelibraries.com
- sni1.androidmetricsasia.com
- sdk2.sdklibraries.com
- moon.playstoreapi.net
- library.androidwebkit.com
- jupiter.playstoreapi.net
- jun.javacdnlib.com
- download.webbucket.co.uk
- download.teraspace.co.in
- download.sexyber.net
- download.rockamore.co.uk
- download.cvscout.uk
- dl01.windowsupdatecloud.com
- dl01.mozillasecurity.com
- api1.androidsdkstream.com
- zclouddrive.com
- windowsupdatecloud.com
- webbucket.co.uk
- teraspace.co.in
- sexyber.net
- sdklibraries.com
- playstoreapi.net
- rockamore.co.uk
- officelibraries.com
- jdklibraries.com
- javacdnlib.com
- cvscout.uk
- craftwithme.uk
- cloudieapp.net
- androidsdkstream.com
- androidwebkit.com
- androidmetricsasia.com
- androidadbserver.com
- jre.jdklibraries.com
- dev.androidadbserver.com
- adb.androidadbserver.com
Attack Patterns
- HeavyLift
- GravityRAT - S0237
- Cosmic Leopard
- T1597
- T1588
- T1608
- T1583
- T1557
- T1555
- T1573
- T1598
- T1489
- T1486
- T1083
- T1592
- T1204
- T1056
- T1059
Additional Informations
- British Indian Ocean Territory
- India