A cyber espionage operation dubbed HeartlessSoul has targeted aerospace firms and drone operators, using phishing and malvertising campaigns to deliver malware that masquerades as installers for legitimate aviation software and resources. The attackers created domains and sites that hosted malicious content, and even planted a fake project on SourceForge to诱 download a malicious archive, according to Kaspersky Lab.
The group's apparent goal is to collect geospatial data and related information from compromised systems, with current targets largely including entities tied to the Russian government and enterprises. Kaspersky Lab also noted that the operation employs a multi-stage infection and fileless execution approach, with LNK exploits such as the Windows shortcut zero-day being used in some campaigns.
The researchers say the activity demonstrates a sophisticated threat actor, with comments from Will Baxter of Team Cymru emphasising its potential for broader implications in logistics mapping and asset movement. As geospatial data remains a rising interest for threat groups amid regional conflicts and GNSS interference, defenders are urged to hunt for signs of the attackers and protect crown jewels behind stringent access controls. According to Kaspersky Lab, they have monitored HeartlessSoul since at least February, with earliest activity traced to September 2025.