Cyber-Espionage Group HeartlessSoul Targets Russian Aviation and Government Sectors
A cyber-espionage campaign attributed to the group HeartlessSoul has been actively targeting Russian government agencies and aviation industry organizations since at least September 2025, according to a report by Kaspersky. The attackers are focused on stealing geospatial intelligence (GIS) data, including detailed mapping of infrastructure, terrain, and strategic facilities information critical to engineering, industrial, and defense sectors.
HeartlessSoul employs phishing emails containing malicious archive files and malvertising campaigns to distribute malware. The group has also created fake aviation-related websites and domains to trick victims into downloading infected software installers. In one case, attackers exploited SourceForge, a legitimate software hosting platform, to distribute a trojanized version of GearUP, a tool for improving online gaming connections. Unsuspecting users instead received spyware capable of harvesting screenshots, keystrokes, browser data, and Telegram credentials, as well as determining device locations.
Kaspersky’s investigation revealed overlaps between HeartlessSoul and another hacking group, Goffee, which has previously targeted Russian systems and specialized in exfiltrating data from connected flash drives. The connection suggests potential coordination or shared operational ties.
While the primary focus appears to be the aviation sector, independent analyst Oleg Shakirov noted that the malware was also distributed through files disguised as FPV drone simulators and tools for bypassing Starlink restrictions. This could indicate broader targeting of drone operators, military personnel, or communications specialists, expanding the campaign’s potential impact beyond aviation.
Source: https://therecord.media/russia-cyber-espionage-aviation
SourceForge cybersecurity rating report: https://www.rankiteo.com/company/sourceforge-net
"id": "SOU1777645601",
"linkid": "sourceforge-net",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Government',
'location': 'Russia',
'type': 'Government Agencies'},
{'industry': 'Aviation',
'location': 'Russia',
'type': 'Aviation Industry Organizations'},
{'industry': ['Defense', 'Communications'],
'location': 'Russia',
'type': 'Drone Operators, Military Personnel, '
'Communications Specialists'}],
'attack_vector': ['Phishing Emails',
'Malvertising',
'Fake Websites',
'Trojanized Software'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Geospatial Intelligence (GIS) '
'Data',
'Screenshots',
'Keystrokes',
'Browser Data',
'Telegram Credentials',
'Device Locations']},
'date_detected': '2025-09-01',
'description': 'A cyber-espionage campaign attributed to the group '
'HeartlessSoul has been actively targeting Russian government '
'agencies and aviation industry organizations since at least '
'September 2025. The attackers are focused on stealing '
'geospatial intelligence (GIS) data, including detailed '
'mapping of infrastructure, terrain, and strategic facilities '
'information critical to engineering, industrial, and defense '
'sectors. The group employs phishing emails, malvertising '
'campaigns, and fake aviation-related websites to distribute '
'malware, including a trojanized version of GearUP hosted on '
'SourceForge. The malware harvests screenshots, keystrokes, '
'browser data, Telegram credentials, and device locations. '
'Overlaps with the hacking group Goffee suggest potential '
'coordination or shared operational ties.',
'impact': {'data_compromised': 'Geospatial intelligence (GIS) data, '
'screenshots, keystrokes, browser data, '
'Telegram credentials, device locations',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': ['Phishing Emails',
'Malvertising',
'Fake Websites',
'Trojanized Software'],
'high_value_targets': ['Government Agencies',
'Aviation Industry',
'Drone Operators',
'Military Personnel']},
'investigation_status': 'Ongoing',
'motivation': 'Espionage, Geospatial Intelligence Theft',
'references': [{'source': 'Kaspersky'},
{'source': 'Oleg Shakirov (Independent Analyst)'}],
'response': {'third_party_assistance': 'Kaspersky'},
'threat_actor': 'HeartlessSoul',
'title': 'Cyber-Espionage Group HeartlessSoul Targets Russian Aviation and '
'Government Sectors',
'type': 'Cyber-Espionage'}