Indian Air Force potentially targeted with info-stealing malware

Researchers have uncovered a new espionage campaign potentially targeting the Indian Air Force with information-stealing malware.

The unidentified threat actor sent phishing emails to its targets with a link to a malicious .zip file supposedly containing data about Su-30 fighter jets. India approved the procurement of these jets last year to bolster its ongoing defense modernization efforts.

“The hackers appear to be exploiting this event to target Indian Air Force professionals,” researchers at the cybersecurity firm Cyble said.

The delivered malware is a variant of a Go Stealer, based on open-source malware found on GitHub. However, it includes additional features, such as targeting a variety of browsers — Firefox, Google Chrome, Edge, and Brave — and exfiltrating data using Slack.

The choice of Slack for covert communications takes advantage of the platform’s widespread use in enterprise networks, researchers said, “enabling malicious activities to seamlessly blend with regular business traffic.”

The attacks were likely targeted, as this stealer focuses specifically on harvesting login credentials and cookies from browsers.

“The targeted nature of this malware suggests a tactical approach aimed at acquiring specific sensitive information from the infected systems,” researchers said.

Cyble couldn’t attribute this campaign to a specific threat actor “due to the limited information available at the moment.” The Indian Air Force hasn’t responded to a request for comment.

The agency is believed to have already fallen victim to cyberattacks. The country’s authorities linked the 2017 crash of an Indian Su-30 aircraft to a cyberattack carried out by "a foreign nation."