A cyber espionage group tracked as HeartlessSoul has quietly compromised aerospace firms and drone operators to exfiltrate geospatial data, terrain models, and GPS information, according to Kaspersky Lab. Current victims are concentrated among Russian government bodies and enterprises, with the operation showing hallmarks of a state-aligned intelligence collection effort rather than a financially motivated or hacktivist campaign.

What Happened

Kaspersky Lab researchers have attributed an ongoing intrusion set to a group dubbed HeartlessSoul, which is using targeted phishing and malvertising lures to lure operators in the aviation and unmanned aerial sectors. The actor stands up domains and lookalike sites that pose as installers for legitimate aviation software, then delivers a malicious payload. In one notable case, the group went further and planted a fake project on SourceForge, abusing the legitimate download service to distribute a weaponized archive. Kaspersky characterizes the actor as sophisticated, citing multi-stage infection chains, fileless execution, and the specific class of data being exfiltrated.

What Was Taken

The campaign is focused on geospatial intelligence rather than financial or generic corporate data. Observed targeting and exfiltration includes:

Kaspersky reports that affected systems currently belong primarily to Russian government and enterprise organizations, though the targeting profile (aerospace, drones, and mapping data) has obvious applicability beyond a single region.

Why It Matters

Geospatial data has become a high-value target as regional conflicts drive demand for terrain awareness, asset tracking, and counter-drone intelligence. According to Will Baxter, head of product at Team Cymru, the theft of GIS, drone, and aviation data carries downstream value across logistics disruption, infrastructure mapping, asset movement tracking, and operational planning. Baxter highlights what he calls the most under-appreciated angle of GIS theft: operational ground truth. An adversary that captures a victim's own maps and terrain models learns exactly what the victim's analysts believe about routes, infrastructure, and terrain, which in turn exposes gaps in the victim's own situational awareness. Coupled with ongoing GNSS interference in active conflict zones, this class of intrusion has clear military and intelligence utility.

The Attack Technique

HeartlessSoul's tradecraft blends commodity social engineering with stealthier in-memory tooling:

This combination of trusted-platform abuse and fileless follow-on stages is consistent with an actor optimizing for persistence and stealth on engineering workstations that routinely pull software from the open internet.

What Organizations Should Do

Aerospace, defense, drone, and geospatial firms should treat GIS and GNSS data as crown-jewel assets and tighten controls accordingly:

  1. Inventory and classify GIS, terrain, flight log, and GPS datasets, and restrict access to a least-privilege subset of engineers and analysts.
  2. Enforce application allowlisting on engineering and operations workstations to block trojanized installers, even when downloaded from reputable services like SourceForge.
  3. Hunt for fileless execution patterns: suspicious PowerShell, WMI, in-memory .NET loads, and unexpected parent-child process chains from installer binaries.
  4. Monitor egress for bulk transfers of geospatial file types (e.g., .shp, .geotiff, .kml, .gpx, .las) and proprietary mission planning formats to untrusted destinations.
  5. Train aviation and drone staff specifically on aviation-themed lures, lookalike domains, and malvertising risk when sourcing tools and datasets.
  6. Validate the provenance of third-party software, prefer vendor-signed downloads over aggregator sites, and verify hashes for any installer pulled from open repositories.

Sources: Cyber Espionage Group Targets Aviation Firms to Steal Map Data