Cyber Spies Target Russian Aviation Firms to Steal Satellite and GPS Data

Geospatial intelligence has become a prized commodity in modern cyber‑espionage, and the HeartlessSoul campaign underscores why. GIS files contain layered maps of roads, terrain, and critical facilities, allowing an attacker to reconstruct the physical layout of airports, drone corridors, and satellite ground stations. By compromising these datasets, threat actors can plan reconnaissance, sabotage, or targeted strikes with unprecedented precision, raising the stakes for nations that rely on sophisticated air and space infrastructure.

HeartlessSoul’s operational playbook blends classic phishing with more nuanced supply‑chain subterfuge. Victims receive malicious archives via email or encounter ads that masquerade as aviation‑software downloads. The group’s use of SourceForge to host a counterfeit version of the GearUP tool demonstrates a willingness to exploit trusted open‑source repositories, while the distribution of fake FPV drone simulators and Starlink‑bypass utilities expands the attack surface to hobbyist and military drone operators. Once installed, the malware records screenshots, logs keystrokes, harvests Telegram credentials, and reports the device’s GPS coordinates, creating a comprehensive portrait of the target’s digital and physical environment.

The broader implications extend beyond the immediate victims. By aggregating GIS data from multiple aviation entities, the attackers can piece together a strategic map of Russia’s air mobility network, potentially informing foreign intelligence or sabotage efforts. Organizations worldwide should reassess their software‑supply chain hygiene, enforce multi‑factor authentication for messaging apps, and deploy behavior‑based detection to spot anomalous data exfiltration. As geopolitical tensions drive more state‑aligned cyber campaigns, robust defenses against geospatial data theft will become a critical component of national security and corporate risk management.