Threat Research

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Securonix

Operation Celestial Force is a long-running espionage campaign operated by a Pakistani threat actor cluster dubbed Cosmic Leopard, leveraging GravityRAT on Android and Windows-based HeavyLift loaders, managed through GravityAdmin panels. The operation targets Indian defense, government, and technology sectors and has expanded across multiple campaigns since 2018, with mobile malware playing an increasingly prominent role. #CosmicLeopard #GravityRAT #HeavyLift #OperationCelestialForce #Talos

Keypoints

  • The campaign uses GravityRAT on Windows and Android, paired with HeavyLift as a loader, all controlled via GravityAdmin panel binaries.
  • Cosmic Leopard, a nexus of Pakistani threat actors, is the attributed group behind Operation Celestial Force, with overlaps suspected with Transparent Tribe.
  • Infection vectors rely on spear phishing with maldocs and social-media outreach delivering malicious links to GravityRAT or HeavyLift.
  • Campaigns are codified under named panels and campaigns (e.g., SIERRA, QUEBEC, FOXTROT, CLOUDINFINITY, SEXYBER, CHATICO) and are managed by GravityAdmin.
  • GravityRAT capabilities include device info collection, SMS, calls, and file access, with Android variants expanding to additional mobile-focused espionage.
  • HeavyLift functions as a cross-platform loader that installs payloads, uses Electron/JavaScript, and persists via macOS Cron or Windows Scheduled Tasks; it also implements anti-analysis checks.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – “…spear phishing consists of messages sent to targets with pertinent language and maldocs that contain malware such as GravityRAT.”
  • [T1566.002] Phishing: Spearphishing Link – “…targeting targets over social media channels, establishing trust with them and eventually sending them a malicious link to download either the Windows- or Android-based GravityRAT or the Windows-based loader, HeavyLift.”
  • [T1059.007] Command and Scripting Interpreter – “HeavyLift … consists of JavaScript code carrying out malicious operations on the infected system.”
  • [T1548.002] Abusing Elevation Control: Elevation of Privilege – “On execution, HeavyLift will check if it is running on a macOS, and not running as root, it will execute with admin privileges using the command: /usr/bin/osascript -e ‘do shell script “bash -c ” _process_path ” with administrator privileges”‘.”
  • [T1053.003] Cron – “macOS persistence via crontab: crontab -l 2>/dev/null; echo ‘ */2 * * * * “_filepath_” _arguments_ ‘ | crontab -.”
  • [T1053.005] Scheduled Task: Windows – “The payload received is an EXE file that persists on the system via a scheduled task. The malware will create an XML file for the scheduled tasks with the payload path, arguments and working directory and then use the XML to set up the schedtask: SCHTASKS /Create /XML “_xmlpath_” /TN “_taskname_” /F.”
  • [T1497.001] Virtualization/Sandbox Evasion – “anti-analysis checks to see if it’s running in a virtual environment… It checks for the presence of specific keywords before closing if there is a match: Innotek GmbH, VirtualBox, VMware, Microsoft Corporation, HITACHI.”
  • [T1071.001] Web Protocols – “GravityRAT’s C2 servers… HTTP… Authentication token when communicating with campaign-specific C2 servers.”
  • [T1082] System Information Discovery – “GravityRAT collects device information (IMEI, phone number, network country ISO code, etc.)”
  • [T1107] File Deletion – “Delete all contacts, call logs and files related to the malware.”

Indicators of Compromise

  • [Domain] Malicious domains used by campaigns – mozillasecurity[.]com, officelibraries[.]com
  • [Domain] Additional network domains associated with C2/infrastructure – androidmetricsasia[.]com, dl01[.]mozillasecurity[.]com, officelibraries[.]com, javacdnlib[.]com, windowsupdatecloud[.]com, webbucket[.]co[.]uk, craftwithme[.]uk, sexyber[.]net, rockamore[.]co[.]uk, androidsdkstream[.]com, playstoreapi[.]net, sdklibraries[.]com, cvscout[.]uk, zclouddrive[.]com, jdklibraries[.]com, cloudieapp[.]net, androidadbserver[.]com, androidwebkit[.]com, teraspace[.]co[.]in
  • [URL] Sample malware delivery / download links – hxxps://zclouddrive[.]com/downloads/CloudDrive_Setup_1[.]0[.]1[.]exe, hxxps://www[.]sexyber[.]net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1[.]0[.]0[.]zip
  • [Hash] GravityRAT Android – 36851d1da9b2f35da92d70d4c88ea1675f1059d68fafd3abb1099e075512b45e; 1382997d3a5bb9bdbb9d41bb84c916784591c7cdae68305c3177f327d8a63b71
  • [Hash] HeavyLift – 8e9bcc00fc32ddc612bdc0f1465fc79b40fc9e2df1003d452885e7e10feab1ee; ceb7b757b89693373ffa1c46dd96544bdc25d1a47608c2ea24578294bcf1db37
  • [Hash] GravityAdmin – 63a76ca25a5e1e1cf6f0ca8d32ce14980736195e4e2990682b3294b125d241cf

Read more: https://blog.talosintelligence.com/cosmic-leopard/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint