Today > | 3 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

Operation Celestial Force employs mobile and desktop malware to target Indian entities

June 14, 2024, 9:11 a.m.

Description

Cisco Talos is disclosing a new malware campaign called 'Operation Celestial Force' conducted by a Pakistani nexus of threat actors called 'Cosmic Leopard'. This multi-year operation has been targeting Indian entities and individuals since at least 2018, employing the use of GravityRAT (an Android and Windows malware) and HeavyLift (a Windows malware loader). The campaigns are administered by a tool called GravityAdmin, which manages multiple codenamed campaigns simultaneously. The operation utilizes spear phishing and social engineering to infect targets, continuously expanding its malware suite, indicating a high degree of success.

Date

Published: June 14, 2024, 8:31 a.m.

Created: June 14, 2024, 8:31 a.m.

Modified: June 14, 2024, 9:11 a.m.

Indicators

da3907cf75662c3401581a5140831f8b2520a4c3645257b3860c7db94295af88

c00cedd6579e01187cd256736b8a506c168c6770776475e8327631df2181fae2

8d458fb59b6da20e1ba1658bb4a1f7dbb46d894530878e91b64d3c675d3d4516

8e9bcc00fc32ddc612bdc0f1465fc79b40fc9e2df1003d452885e7e10feab1ee

838fd5d269fa09ef4f7e9f586b6577a9f46123a0af551de02de78501d916236d

69414a0ca1de6b2ab7b504a507d35c859fc5a1b8e0b3cf0c6a8948b2f652cbe9

63a76ca25a5e1e1cf6f0ca8d32ce14980736195e4e2990682b3294b125d241cf

688c8e4522061bb9d82e4c3584f7ef8afc6f9e07e2374567755faad2a22e25b8

5695c1e5e4b381844a36d8281126eef73a9641a315f3fdd2eb475c9073c5f4da

380df073825aca1e2fdbea379431c2f4571a8c7d9369e207a31d2479fbc7be88

4ebdfa738ef74945f6165e337050889dfa0aad61115b738672bbeda648a59dab

36851d1da9b2f35da92d70d4c88ea1675f1059d68fafd3abb1099e075512b45e

12d98137cd1b0cf59ce2fafbfe3a9c3477a42dae840909adad5d4d9f05dd8ede

1382997d3a5bb9bdbb9d41bb84c916784591c7cdae68305c3177f327d8a63b71

04e216f4780b6292ccc836fa0481607c62abb244f6a2eedc21c4a822bcf6d79f

06b617aa8c38f916de8553ff6f572dcaa96e5c8941063c55b6c424289038c3a1

https://zclouddrive.com/system/clouddrive/

https://zclouddrive.com/downloads/CloudDrive_Setup_1.0.1.exe

https://zclouddrive.com/system/546F9A.php

https://www.sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip

https://www.craftwithme.uk/cwmb/d26873c6.php

https://www.craftwithme.uk/cwmb/craftwithme/strong_client.php

https://www.craftwithme.uk/cwmb/craftwithme/

https://ux.androidwebkit.com/kangaroo/8a99d28c.php

https://tl37.officelibraries.com/resauth.php/

https://tl37.officelibraries.com/opex/13942BA7.php

https://tl37.officelibraries.com/Sier/resauth.php

https://tl37.officelibraries.com/MicrosoftUpdates/741bbfe6.php

https://tl37.officelibraries.com/MsWordUpdates/c47d1870.php

https://sni1.androidmetricsasia.com/voilet/8a99d28c.php

https://sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip

https://sdk2.sdklibraries.com/golf/c6cf642b.php

https://moon.playstoreapi.net/indigo/8a99d28c.php

https://library.androidwebkit.com/kangaroo/8a99d28c.php

https://jupiter.playstoreapi.net/indigo/8a99d28c.php

https://jupiter.playstoreapi.net/RB/e7a18a38.php

https://jun.javacdnlib.com/Quebec/5be977ac.php

https://jre.jdklibraries.com/hotriculture/671e00eb.php

https://download.webbucket.co.uk/webbucket/strong_client.php

https://download.webbucket.co.uk/webbucket/

https://download.webbucket.co.uk/A0B74607.php

https://download.teraspace.co.in/teraspace/

https://download.teraspace.co.in/78181D14.php

https://download.sexyber.net/sexyber/sexyberC.php

https://download.sexyber.net/0fb1e3a0.php

https://download.rockamore.co.uk/m2c/m_client.php

https://download.cvscout.uk/cvscout/cvstyler_client.php

https://download.cvscout.uk/cvscout/

https://download.cvscout.uk/c9a5e83c.php

https://dl01.windowsupdatecloud.com/opex/7ab24931.php

https://dl01.mozillasecurity.com/resauth.php/

https://dl01.mozillasecurity.com/Sier/resauth.php

https://dl01.mozillasecurity.com/MicrosoftUpdates/6efbb147.php

https://dl01.mozillasecurity.com/

https://dev.androidadbserver.com/jurassic/6c67d428.php

https://cloudieapp.net/cloudie.zip

https://api1.androidsdkstream.com/foxtrot/61c10953.php

https://api1.androidsdkstream.com/foxtrot/

https://adb.androidadbserver.com/jurassic/6c67d428.php

www.sexyber.net

www.craftwithme.uk

http://zclouddrive.com/system/clouddrive/

http://zclouddrive.com/system/546F9A.php

http://zclouddrive.com/downloads/CloudDrive_Setup_1.0.1.exe

http://www.sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip

http://www.craftwithme.uk/cwmb/d26873c6.php

http://www.craftwithme.uk/cwmb/craftwithme/

http://www.craftwithme.uk/cwmb/craftwithme/strong_client.php

http://ux.androidwebkit.com/kangaroo/8a99d28c.php

http://tl37.officelibraries.com/resauth.php/

http://tl37.officelibraries.com/opex/13942BA7.php

http://tl37.officelibraries.com/Sier/resauth.php

http://tl37.officelibraries.com/MsWordUpdates/c47d1870.php

http://sni1.androidmetricsasia.com/voilet/8a99d28c.php

http://tl37.officelibraries.com/MicrosoftUpdates/741bbfe6.php

http://sexyber.net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1.0.0.zip

http://sdk2.sdklibraries.com/golf/c6cf642b.php

http://moon.playstoreapi.net/indigo/8a99d28c.php

http://library.androidwebkit.com/kangaroo/8a99d28c.php

http://jupiter.playstoreapi.net/indigo/8a99d28c.php

http://jupiter.playstoreapi.net/RB/e7a18a38.php

http://jun.javacdnlib.com/Quebec/5be977ac.php

http://jre.jdklibraries.com/hotriculture/671e00eb.php

http://download.webbucket.co.uk/webbucket/strong_client.php

http://download.webbucket.co.uk/webbucket/

http://download.teraspace.co.in/teraspace/

http://download.webbucket.co.uk/A0B74607.php

http://download.teraspace.co.in/78181D14.php

http://download.sexyber.net/0fb1e3a0.php

http://download.sexyber.net/sexyber/sexyberC.php

http://download.rockamore.co.uk/m2c/m_client.php

http://download.cvscout.uk/cvscout/

http://download.cvscout.uk/cvscout/cvstyler_client.php

http://download.cvscout.uk/c9a5e83c.php

http://dl01.mozillasecurity.com/resauth.php/

http://dl01.windowsupdatecloud.com/opex/7ab24931.php

http://dl01.mozillasecurity.com/Sier/resauth.php

http://dl01.mozillasecurity.com/MicrosoftUpdates/6efbb147.php

http://dl01.mozillasecurity.com/

http://dev.androidadbserver.com/jurassic/6c67d428.php

http://cloudieapp.net/cloudie.zip

http://api1.androidsdkstream.com/foxtrot/61c10953.php

http://api1.androidsdkstream.com/foxtrot//DataX/

http://api1.androidsdkstream.com/foxtrot/

http://adb.androidadbserver.com/jurassic/6c67d428.php

ux.androidwebkit.com

tl37.officelibraries.com

sni1.androidmetricsasia.com

sdk2.sdklibraries.com

moon.playstoreapi.net

library.androidwebkit.com

jupiter.playstoreapi.net

jun.javacdnlib.com

download.webbucket.co.uk

download.teraspace.co.in

download.sexyber.net

download.rockamore.co.uk

download.cvscout.uk

dl01.windowsupdatecloud.com

dl01.mozillasecurity.com

api1.androidsdkstream.com

zclouddrive.com

windowsupdatecloud.com

webbucket.co.uk

teraspace.co.in

sexyber.net

sdklibraries.com

playstoreapi.net

rockamore.co.uk

officelibraries.com

jdklibraries.com

javacdnlib.com

cvscout.uk

craftwithme.uk

cloudieapp.net

androidsdkstream.com

androidwebkit.com

androidmetricsasia.com

androidadbserver.com

jre.jdklibraries.com

dev.androidadbserver.com

adb.androidadbserver.com

Attack Patterns

HeavyLift

GravityRAT - S0237

Cosmic Leopard

T1597

T1588

T1608

T1583

T1557

T1555

T1573

T1598

T1489

T1486

T1083

T1592

T1204

T1056

T1059

Additional Informations

British Indian Ocean Territory

India