CargoTalon: New Cyber-Espionage Campaign Targets Russian Aviation with Stealthy DLL Implants

Experts at SEQRITE Labs have uncovered a large-scale cyber-espionage campaign dubbed CargoTalon, specifically targeting personnel within a key enterprise of Russia’s aviation industry. The operation employs highly targeted phishing techniques, disguised as essential logistics documents critical to the nation’s internal supply chains.

The investigation began on June 27, when a suspicious email surfaced on VirusTotal. The message, formatted as official correspondence from a fictitious Transport and Logistics Center, included attachments mimicking standard freight documentation (TTN), fostering immediate trust among employees accustomed to handling such forms.

The email carried an attachment titled backup-message-10.2.2.20_9045-800282.eml along with a prompt urging the recipient to prepare for cargo receipt. Instead of a conventional ZIP archive, the body of the email concealed a malicious DLL file disguised as a compressed folder, bearing the name Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip. A shortcut (LNK) file with a matching name was also attached, serving as the entry point for the malicious payload.

The infection sequence was executed with meticulous sophistication. Upon activation, the LNK file triggered a PowerShell script that scanned directories such as %USERPROFILE% and %TEMP% for the embedded implant. During execution, it extracted a 59,904-byte Excel document from a specific offset within the DLL and saved it with a .xls extension, presenting it to the user as a legitimate logistics form.

The fake document appeared authentic, displaying container receipt data, damage codes like “Crack” or “Through Corrosion,” and schematics, all styled to align with Russian regulatory standards. The file convincingly impersonated a report from the company Obltransterminal.

Behind this facade lurked a C++-written malicious module known as EAGLET — a DLL implant designed for intelligence gathering and remote machine control. Once launched, it generated a unique GUID, harvested device names, hostnames, and domain information, and established persistence by creating a directory at C:/ProgramData/MicrosoftAppStore/.

From there, the implant operated silently in the background. It initiated separate threads to connect to a command-and-control (C2) server using standard Windows APIs such as WinHttpOpen and WinHttpConnect. The traffic was disguised with a counterfeit User-Agent string, MicrosoftAppStore/2001.0, communicating via IP address 185.225.17.104 on port 80.

Commands were issued through GET requests containing parameters like GUID and domain metadata, with responses allowing execution of shell commands, file downloads, and results sent back through POST requests encoded in base64.

Infrastructure analysis revealed the C2 server is hosted in Romania within ASN 39798, registered to the hosting provider MivoCloud SRL. Passive DNS data showed recurring use of domains previously linked to threat group TA505, though direct attribution remains inconclusive.

However, the operation bears a striking resemblance to the tactics of Head Mare, another threat actor monitored by industry analysts. The EAGLET implant mirrors functionality found in the earlier PhantomDL backdoor — command execution, file transfer, and exfiltration. Additional similarities include naming conventions and decoy documents like Contract_RN83_Changes and Contract_kh02_523.

Prior instances include attacks against Russian military entities via documents named Договор_РН83_изменения.zip, which connected to a separate C2 server at IP 188.127.254.44 under ASN 56694.

Given the breadth of evidence, SEQRITE Labs attributes CargoTalon to the threat group UNG0901, believed to share infrastructure and tooling with Head Mare. The malware is classified in SEQRITE’s threat catalog as trojan.49644.SL.

The campaign is marked by extensive use of legitimate Windows system utilities (LOLBins), convincingly crafted decoy files, and a modular infection architecture — all indicative of a highly organized effort aimed at sustained access within critical infrastructure.