Russian Aerospace & Defense Faces Assault as Operation CargoTalon Unleashes EAGLET Implant Deployment

A newly uncovered cyber-espionage campaign, dubbed “Operation CargoTalon,” is targeting Russia’s aerospace and defense sectors with a technically advanced attack chain.

SEQRITE Labs’ APT-Team has identified multiple spear-phishing incidents targeting high-value personnel within the Voronezh Aircraft Production Association (VASO), a significant entity in the Russian aerospace industry.

The campaign leverages weaponized consignment note files, key documents in Russian logistics, to trick victims into deploying a powerful EAGLET malware implant, raising the stakes for critical infrastructure security.

Infection Chain – LNK Files, DLL Implants, and Authentic-Looking Decoys

The attack begins with highly targeted, convincing emails purportedly from a transportation and logistics center.

These messages reference genuine-sounding logistics notes (товарно-транспортная накладная, or TTN) and urge recipients to review critical attachments for impending cargo deliveries.

Attached is a file titled “Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip” (Transport Consignment Note), which masquerades as a ZIP archive but is, in reality, a malicious DLL implant.

Another key file in the infection chain is a similarly named LNK shortcut. Technical analysis reveals this LNK employs PowerShell to search for and execute the EAGLET implant via the legitimate Windows binary rundll32.exe.

Once triggered, the DLL extracts a decoy Excel document related to “Obltransterminal LLC,” a sanctioned Russian logistics entity, displaying w

hat appears to be an innocuous Russian container inspection form. Meanwhile, the implant initiates its malicious routine behind the scenes.

EAGLET Malware – Data Theft and C2 Communication

Upon execution, EAGLET gathers detailed host information, computer name, hostname, DNS domain, and crafts a unique GUID to fingerprint each victim system.

It then establishes persistent communication with a command-and-control server (notably 185.225.17.104, hosted in Romania), disguising network traffic with a rare “MicrosoftAppStore/2001.0” User-Agent.

The implant supports a suite of backdoor commands, including remote shell access for code execution, file downloads from the C2 infrastructure, and systematic data exfiltration that posts stolen information and command results directly to the C2 endpoints.

Furthermore, overlaps in tooling and tactics link this campaign to the “Head Mare” threat actor, which has been identified in previous operations targeting Russian military and governmental entities.

While the infrastructure exhibits historical connections with notorious groups like TA505, researchers conclude that CargoTalon is distinct, although resource sharing is evident.

Outlook

Operation CargoTalon exemplifies how threat groups are escalating their technical sophistication against Russian strategic industries.

By blending credible logistics lures, decoy documentation, and modular implants, UNG0901/Head Mare poses a formidable espionage threat.

The campaign underlines the urgent need for robust phishing defenses and behavioral monitoring across Russia’s aerospace and defense sectors.

IOCs

File-Type	FileName	SHA-256
LNK	Договор_РН83_изменения.pdf.lnk	a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c
	Транспортная_накладная_ТТН_№391-44_от_26.06.2025.xls.lnk	4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5
DLL	Договор_РН83_изменения.zip	204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e
	Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip	01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428