EAGLET Backdoor Malware

Cyberespionage continues to evolve, with state-linked threat actors employing increasingly deceptive tactics. One of the latest incidents involves an elaborate campaign aimed at compromising Russia's aerospace and defense sectors, utilizing a custom backdoor named EAGLET for covert surveillance and data theft.

Target Identified: Russian Aerospace Under Siege

The campaign, known as Operation CargoTalon, has been attributed to a threat cluster labeled UNG0901 (Unknown Group 901). This group has set its sights on the Voronezh Aircraft Production Association (VASO), a major Russian aircraft manufacturing entity. The attackers employ spear-phishing tactics that exploit 'товарно-транспортная накладная' (TTN) documents, a type of cargo transport form critical to logistics operations within Russia.

How the Attack Unfolds: Weaponized Lures and Malware Deployment

The infection chain begins with spear-phishing emails that contain fake cargo delivery-themed content. These messages include ZIP archives housing a Windows shortcut (LNK) file. When executed, the LNK file uses PowerShell to launch a decoy Microsoft Excel document while simultaneously installing the EAGLET DLL backdoor on the compromised system.

The decoy document references Obltransterminal, a Russian railway container terminal operator sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in February 2024—a move likely intended to add credibility and urgency to the lure.

Inside EAGLET: Capabilities and C2 Communication

The EAGLET backdoor is a stealthy implant designed for intelligence gathering and persistent access. Its capabilities include:

• Collecting system information
• Connecting to a hardcoded C2 server at IP address 185.225.17.104
• Parsing HTTP responses to retrieve commands for execution

The implant features interactive shell access and supports file upload/download operations. However, due to the current offline status of the Command-and-Control (C2) server, analysts have not been able to determine the full scope of possible next-stage payloads.

Ties to Other Threat Actors: EAGLET and Head Mare

Evidence suggests that UNG0901 is not operating in isolation. Similar campaigns deploying EAGLET have been observed targeting additional entities in Russia's military sector. These operations reveal connections to another threat group known as Head Mare, identified for its focus on Russian organizations.

Key indicators of overlap include:

• Source code similarities between EAGLET and Head Mare toolsets
• Shared naming conventions in phishing attachments

Functional resemblances between EAGLET and PhantomDL, a Go-based backdoor known for its shell and file-transfer capabilities

Key Takeaways: Warning Signs and Persistent Threats

This campaign highlights the increasing precision of spear-phishing operations, especially those using domain-specific lures such as TTN documents. The use of sanctioned entities in decoy files, combined with custom malware like EAGLET, illustrates a growing trend in highly targeted espionage campaigns aimed at critical infrastructure.

Indicators of compromise and red flags to watch for:

• Emails referencing cargo or delivery documents from sanctioned Russian entities.
• Suspicious ZIP attachments containing LNK files that execute PowerShell commands.
• Outbound connections to unfamiliar IPs.

Cybersecurity professionals should remain alert to the evolving tactics of threat actors like UNG0901, especially as they target sensitive sectors with customized malware implants and overlapping toolkits.