Cyber Espionage Group Targets Aviation Firms to Steal Map Data

VULNERABILITIES & THREATS CYBER RISK CYBERATTACKS & DATA BREACHES ICS/OT SECURITY NEWS Cyber Espionage Group Targets Aviation Firms to Steal Map Data The campaign quietly compromises aerospace and drone operators to exfiltrate GIS files, terrain models, and GPS data and gain a clear picture of adversaries' world view. Robert Lemos,Contributing Writer May 11, 2026 4 Min Read SOURCE: DC STUDIO VIA SHUTTERSTOCK As cyber operations continue to support regional conflicts, threat groups are targeting a wider range of information, including geospatial mapping and global positioning systems (GPS) data that can be used to locate enemy assets and gather information on a rival's own intelligence capabilities, cybersecurity firms warn. One cyber espionage group has used specially crafted phishing and malvertising campaigns to target aerospace firms and drone operators by creating domains and sites that host malware that appears to be installers for legitimate aviation software and resources, according to Kaspersky Lab. The group, dubbed HeartlessSoul, even planted a fake project on SourceForge, a legitimate download service, that resulted in the downloading of a malicious archive. The ultimate goal of the group appears to be collecting geospatial data and information from compromised systems, currently mainly belonging to the Russian government and enterprises, Kaspersky Lab tells Dark Reading. Related:Why Security Leadership Makes or Breaks a Pen Test "[T]his actor is a sophisticated one: combined multi-stage infection, fileless execution and the data the group targets, confirms that it is not just a hacktivist or criminal group, but a motivated group posing a serious threat to organizations," the cybersecurity firm said in its response. With several ongoing regional military conflicts and an increase in interference with global navigation satellite systems (GNSS), geospatial data has become a more common, if not popular, target for some threat groups. In 2024, for example, the cybercriminal hacker IntelBroker claimed to have breached Space-Eyes, a Miami-based geospatial intelligence firm, although analysts have cast doubt on some of the hacker's claimed exploits. IntelBroker, later identified as British national Kai West, was arrested in June 2025. The espionage campaigns show signs of sophistication and align with the concerns of nation-states, says Will Baxter, head of product for threat intelligence firm Team Cymru. "The targeting of GIS, drone, and aviation data points to an intelligence-collection or defense-oriented angle, with downstream value across logistics disruption, infrastructure mapping, asset movement tracking, and operational planning," he says. "The most under-appreciated value in GIS theft is operational ground truth — the adversary gets to see exactly what the victim's own analysts believe about terrain, infrastructure, and routes, which lets them model gaps in the victim's own awareness." Hackers Steal Geospatial Files, Hidden Commands Related:How Dark Reading Lifted Off the Launchpad in 2006 Once the attackers gain access to databases and workstations used for GIS analysis, HeartlessSoul downloads a variety of common document types, but also some rather uncommon types, including GPS data, Geographic Information System (GIS) shape files, digital geographic relief files, and some proprietary GIS mapping files, Kaspersky Lab stated in its report (in Russian). "Such GIS files ... allow you to obtain information about infrastructure — roads, engineering networks, terrain, as well as strategic objects, and provide confidential data in engineering, state and industrial organizations," the company stated (Google translated) in the analysis. The attackers used a variety of common techniques in their efforts to compromise systems, including a JavaScript remote access Trojan (RAT) and PowerShell scripts for executing common tasks. Some of the malicious LNK files used a Windows shortcut exploit (ZDI-CAN-25373), which has become popular in advanced persistent threat (APT) campaigns. Kaspersky Lab has monitored the group through compromised command-and-control infrastructure since at least February. The company traced the group's earliest activities back to at least September 2025. Attribution in Aviation Attacks Remains Uncertain Related:Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug While no Western cybersecurity vendors have identified a group that matches HeartlessSoul, two other Russian cybersecurity firms — Positive Technologies and BI.ZONE — have documented the threat group, with the latter naming the group Versatile Werewolf. Two other threat groups, Paper Werewolf and Eagle Werewolf, also target drone-focused forums and chat channels, such as Telegram, as well as Russian citizens seeking to bypass restrictions on Starlink devices, according to a BI.ZONE analysis. None of the three companies have publicly attributed the attacks. Paper Werewolf, also known as GOFFEE, appears to link to pro-Ukrainian groups, which initially targeted Russian defense contractors. BI.ZONE noted that the three groups, while given similar names and have adopted similar techniques, appear to be operating autonomously. Defenders should focus on mounting a practical response, hunting for signs of the attackers, and find operational-security failures, Baxter says. Additionally, companies and agencies that use GIS data should protect their crown jewels, focusing on putting specific assets such as flight-planning software behind zero-trust security measures like identity-bound access with egress monitoring, and segmenting engineering networks from general business networks, he says. The business will benefits from reducing operation risk for the most critical systems, without forcing non-critical environments to bear the burden of zero trust for no significant benefit. "It's an asymmetric investment in the small set of workstations that touch crown-jewel data," Baxter says. "Most businesses need flexibility and scale, and a textbook zero-trust posture on every drone-operator or field workstation isn't realistic." Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS