CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

HeartlessSoul APT Group Compromises Aviation and GIS Firms to Exfiltrate Geospatial Intelligence

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A newly identified cyber espionage group, tracked as HeartlessSoul, has conducted targeted phishing and malvertising campaigns against aerospace firms, drone operators, and geospatial intelligence providers since at least September 2025. The group leverages fraudulent domains, fake software installers, and a malicious SourceForge project to deliver malware, including a JavaScript RAT and PowerShell scripts, while exploiting the Windows LNK shortcut vulnerability (ZDI-CAN-25373). HeartlessSoul’s primary objective is to steal geospatial data—such as GIS shape files, GPS data, and proprietary mapping files—from compromised systems, predominantly those associated with Russian government and enterprise entities. The targeting aligns with operational advantages for adversaries, enabling infrastructure mapping, asset tracking, and the identification of gaps in victims’ situational awareness.

Timeline

  1. 11.05.2026 15:00 1 articles · 2h ago

    HeartlessSoul APT Engages in Multi-Stage Espionage Against GIS and Aviation Sectors

    Between September 2025 and February 2026, the HeartlessSoul APT group conducted targeted phishing and malvertising campaigns against aerospace, drone, and geospatial intelligence firms. The group deployed a JavaScript RAT and PowerShell scripts, exploited the ZDI-CAN-25373 LNK vulnerability, and used a malicious SourceForge project to deliver malware disguised as legitimate aviation or GIS software. Compromised systems were systematically harvested for GIS shape files, GPS data, and proprietary mapping formats, with a primary focus on Russian government and enterprise entities.

    Show sources
    Open in new tab

Information Snippets

  • HeartlessSoul has been active since at least September 2025, with command-and-control infrastructure observed compromised by Kaspersky Lab as early as February 2026.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • The group employs multi-stage infection chains, fileless execution techniques, and malicious archives disguised as legitimate aviation software or GIS resources to compromise targets.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • HeartlessSoul’s infrastructure includes a fraudulent SourceForge project that distributes a malicious archive to victims seeking aviation or GIS tools.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • Stolen data includes GIS shape files, GPS coordinates, digital geographic relief files, and proprietary GIS mapping formats, which provide detailed insights into infrastructure, terrain, and strategic facilities.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • The campaign exploits the Windows LNK shortcut vulnerability (ZDI-CAN-25373), a technique increasingly observed in advanced persistent threat (APT) operations.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • Other Russian cybersecurity firms, including Positive Technologies and BI.ZONE, have independently documented HeartlessSoul, with BI.ZONE referring to the group as Versatile Werewolf.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources

  • Two additional groups, Paper Werewolf (GOFFEE) and Eagle Werewolf, operate with similar tactics but appear operationally distinct; Paper Werewolf has ties to pro-Ukrainian activity.

    First reported: 11.05.2026 15:00
    1 source, 1 article
    Show sources