Cyber spies target Russian aviation firms to steal satellite and GPS data

A cyber-espionage group has been targeting Russian government agencies and companies in the aviation industry to steal sensitive geospatial data, according to a report released this week.

The group, known as HeartlessSoul, has been active since at least September 2025 and has carried out cyberattacks designed to infiltrate Russian organizations and individual users, researchers at Russian cybersecurity firm Kaspersky said.

The attackers appear particularly interested in obtaining geographic information system (GIS) data — specialized file formats that can reveal detailed information about infrastructure such as roads, engineering networks, terrain and potentially strategic facilities. Such files are commonly used by engineering, government and industrial organizations and can contain detailed mapping data.

“Analysis of the HeartlessSoul group’s activity shows a targeted interest by the attackers in enterprises within Russian industry with the aim of obtaining confidential data, particularly geospatial information,” the researchers said.

The hackers primarily gain access through phishing emails containing infected archive files. They also run malicious advertising campaigns that mimic websites offering software used in aviation systems, tricking victims into downloading infected installers.

In some cases, the attackers created domains that imitated aviation-related resources and used them to distribute malware disguised as legitimate software. Once downloaded, the files automatically launch the infection process.

Researchers also found that the group used the legitimate software hosting platform SourceForge to distribute malware. There, the attackers uploaded a fake version of GearUP, a service designed to improve connection quality in online games. Users searching for the tool could instead download a malicious archive that installed spyware.

Once inside a victim’s device, the malware can collect extensive data, including screenshots, keystrokes, browser data and files stored on the system. It can also extract login credentials from the messaging app Telegram and determine the device’s location.

During their investigation, Kaspersky researchers also identified links between HeartlessSoul and another hacking group known as Goffee, which has previously targeted Russian systems and was known for stealing sensitive files from flash drives connected to infected computers.

The overlap may indicate coordinated or related operations, Kaspersky said.

Although Kaspersky said the main target of HeartlessSoul’s recent campaign was the aviation industry, independent Russian cybersecurity analyst Oleg Shakirov said the malware described by the researchers was also distributed through files disguised as FPV drone simulators and tools designed to bypass restrictions on the satellite internet service Starlink.

If confirmed, that could suggest the attacks were aimed not just at aviation companies but at drone operators, communications specialists or other military personnel, he wrote on his Telegram channel.