Executive Summary
In May 2026, the cyber-espionage group known as HeartlessSoul targeted Russian aviation firms and government agencies to steal sensitive geospatial data. Utilizing phishing emails and malicious advertising campaigns, they distributed malware disguised as legitimate aviation software, including a counterfeit version of GearUP on SourceForge. Once installed, the malware exfiltrated Geographic Information System (GIS) files, GPS data, and other critical infrastructure information. (therecord.media)
This incident underscores the increasing focus of cyber-espionage groups on geospatial data, highlighting the need for enhanced cybersecurity measures in sectors reliant on such information. The use of legitimate platforms like SourceForge for malware distribution also emphasizes the evolving tactics of threat actors. (therecord.media)
Why This Matters Now
The HeartlessSoul campaign highlights the urgent need for aviation and government sectors to bolster defenses against sophisticated cyber-espionage tactics targeting geospatial data. The exploitation of trusted platforms for malware distribution signifies an evolving threat landscape requiring immediate attention. (therecord.media)
Attack Path Analysis
The HeartlessSoul cyber espionage group initiated their attack by deploying phishing campaigns and malicious advertisements to deliver JavaScript-based remote access Trojans (JS-RATs) and PowerShell scripts, exploiting vulnerabilities such as the Windows shortcut exploit (ZDI-CAN-25373). Upon gaining initial access, they escalated privileges by leveraging the compromised credentials and exploiting system vulnerabilities to gain higher-level access. They then moved laterally within the network, accessing databases and workstations used for Geographic Information System (GIS) analysis. The attackers established command and control channels to maintain persistent access and control over the compromised systems. They exfiltrated sensitive geospatial data, including GIS shape files, digital geographic relief files, and GPS data, to external servers. The impact of the attack was the unauthorized access and theft of critical geospatial information, potentially compromising national security and industrial operations.
Kill Chain Progression
Initial Compromise
Description
HeartlessSoul initiated the attack by deploying phishing campaigns and malicious advertisements to deliver JavaScript-based remote access Trojans (JS-RATs) and PowerShell scripts, exploiting vulnerabilities such as the Windows shortcut exploit (ZDI-CAN-25373).
Related CVEs
CVE-2025-9491
CVSS 7.8A vulnerability in Microsoft Windows LNK files allows remote attackers to execute arbitrary code by crafting malicious .LNK files that conceal hazardous content, leading to potential code execution in the context of the current user.
Affected Products:
Microsoft Windows – All supported versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Attachment
Web Protocols
PowerShell
Malicious File
Data from Local System
Automated Exfiltration
Match Legitimate Name or Location
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Airlines/Aviation
Primary target of HeartlessSoul espionage campaign stealing GIS mapping data, GPS coordinates, and aviation software through sophisticated phishing attacks against aerospace firms.
Aviation/Aerospace
Direct targeting by cyber espionage groups using malicious aviation software installers to exfiltrate geospatial intelligence, terrain models, and flight-planning data for reconnaissance.
Defense/Space
Critical geospatial intelligence theft targeting drone operators and defense contractors exposes strategic infrastructure mapping, operational routes, and military asset positioning capabilities.
Government Administration
State-sponsored actors stealing GIS files and terrain data compromise government intelligence capabilities, revealing analytical blind spots and strategic infrastructure vulnerabilities to adversaries.
Sources
- Cyber Espionage Group Targets Aviation Firms to Steal Map Datahttps://www.darkreading.com/vulnerabilities-threats/cyber-espionage-group-aviation-firms-steal-map-dataVerified
- New Windows zero-day exploited by 11 state hacking groups since 2017https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/Verified
- NVD - CVE-2025-9491https://nvd.nist.gov/vuln/detail/CVE-2025-9491Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate sensitive geospatial data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities and deploy malicious scripts may have been constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of access to critical systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been constrained, limiting access to critical GIS databases and workstations.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been detected and disrupted, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive geospatial data may have been prevented, limiting the unauthorized transfer of critical information.
The unauthorized access and theft of critical geospatial information could have been limited, reducing the potential compromise to national security and industrial operations.
Impact at a Glance
Affected Business Functions
- Flight Operations
- Geospatial Data Analysis
- Engineering and Maintenance
Estimated downtime: 7 days
Estimated loss: $5,000,000
Geospatial mapping data, GPS coordinates, and terrain models of strategic infrastructure.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network, limiting attackers' ability to access sensitive systems.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting and preventing unauthorized communications.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic, preventing data exfiltration to unauthorized destinations.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Ensure Encrypted Traffic (HPE) is implemented to protect data in transit, mitigating the risk of interception during exfiltration.
