{ "id": "b574c5a3-029f-41b5-aeff-fdb3373a0fe2", "created_at": "2026-04-06T00:16:48.521789Z", "updated_at": "2026-04-10T03:36:50.197461Z", "deleted_at": null, "sha1_hash": "13e95b85660fcad514eaa2c737dbf4e6b9a69e7a", "title": "Operation Celestial Force employs mobile and desktop malware to target Indian entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1190128, "plain_text": "Operation Celestial Force employs mobile and desktop malware to\r\ntarget Indian entities\r\nBy Cisco Talos\r\nPublished: 2024-06-13 · Archived: 2026-04-05 17:32:05 UTC\r\nThursday, June 13, 2024 06:00\r\nBy Gi7w0rm, Asheer Malhotra and Vitor Ventura. \r\nCisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at\r\nleast 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with\r\na Windows-based malware loader we track as “HeavyLift.”  \r\nAll GravityRAT and HeavyLift infections are administered by a standalone tool we are calling\r\n“GravityAdmin,” which carries out malicious activities on an infected device. Analysis of the panel\r\nbinaries reveals that they are meant to administer and run multiple campaigns at the same time, all of which\r\nare codenamed and have their own admin panels.  \r\nTalos attributes this operation with high confidence to a Pakistani nexus of threat actors we’re calling\r\n“Cosmic Leopard,” focused on espionage and surveillance of their targets.  This multiyear operation\r\ncontinuously targeted Indian entities and individuals likely belonging to defense, government and related\r\ntechnology spaces. Talos initially disclosed the use of the Windows-based GravityRAT malware by\r\nsuspected Pakistani threat actors in 2018 — also used to target Indian entities.  \r\nWhile this operation has been active for at least the past six years, Talos has observed a general uptick in\r\nthe threat landscape in recent years, with respect to the use of mobile malware for espionage to target high-value targets, including the use of commercial spyware. \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 1 of 14\n\nOperation Celestial Force: A multi-campaign, multi-component infections\r\noperation \r\nTalos assesses with high confidence that this series of campaigns we’re clustering under the umbrella of\r\n“Operation Celestial Force” is conducted by a nexus of Pakistani threat actors. The tactics, techniques, tooling and\r\nvictimology of Cosmic Leopard contain some overlaps with those of Transparent Tribe, another suspected\r\nPakistani APT group, which has a history of targeting high-value individuals from the Indian subcontinent.\r\nHowever, we do not have enough technical evidence to link both the threat actors together for now, therefore we\r\ntrack this cluster of activity under the “Cosmic Leopard” tag. \r\nOperation Celestial Force has been active since at least 2018 and continues to operate today — increasingly\r\nutilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of\r\nsuccess targeting users in the Indian subcontinent. Cosmic Leopard initially began the operation with the creation\r\nand deployment of the Windows based GravityRAT malware family distributed via malicious documents\r\n(maldocs). Cosmic Leopard then created Android-based versions of GravityRAT to widen their net of infections to\r\nbegin targeting mobile devices around 2019. During the same year, Cosmic Leopard also expanded their arsenal to\r\nuse the HeavyLift malware family as a malware loader. HeavyLift is primarily wrapped in malicious installers\r\nsent to targets tricked into running the into running the malware via social engineering techniques. \r\nSome campaigns from this multi-year operation have been disclosed and loosely attributed to Pakistani threat\r\nactors in previous reporting. However, there has been little evidence to tie all of them together until now. Each\r\ncampaign in the operation has been codenamed by the threat actor and managed/administered using custom-built\r\npanel binaries we call “GravityAdmin.” \r\nAdversaries like Cosmic Leopard may use low-sophistication techniques such as social engineering and spear\r\nphishing, but will aggressively target potential victims with various TTPs. Therefore, organizations must remain\r\nvigilant against such motivated adversaries conducting targeted attacks by educating users on proper cyber\r\nhygiene and implementing defense-in-depth models to protect against such attacks across various attack surfaces.\r\nThis campaign primarily utilizes two infection vectors — spear phishing and social engineering. Spear phishing\r\nconsists of messages sent to targets with pertinent language and maldocs that contain malware such as\r\nGravityRAT. \r\nThe other infection vector, gaining popularity in this operation, and now a staple tactic of the Cosmic Leopard’s\r\noperations consists of contacting targets over social media channels, establishing trust with them and eventually\r\nsending them a malicious link to download either the Windows- or Android-based GravityRAT or the Windows-based loader, HeavyLift. \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 2 of 14\n\nMalicious drop site delivering HeavyLift. \r\nOperation Celestial Force’s malware and its management interfaces \r\nTalos’ analysis reveals the use of multiple components, including Android- and Windows-based malware, and\r\nadministrative binaries supporting multiple campaign panels used by Operation Celestial Force. \r\nGravityRAT: GravityRAT, a closed-source malware family, first disclosed by Talos in 2018, is a\r\nWindows- and Android-based RAT used to target Indian entities.  \r\nHeavyLift: A previously unknown Electron-based malware loader family distributed via malicious\r\ninstallers targeting the Windows operating system.  \r\nGravityAdmin: A tool to administer infected systems (panel binary), used by operators since at least 2021,\r\nby connecting to GravityRAT’s and HeavyLift’s C2 servers. GravityAdmin consists of multiple inbuilt\r\nUser Interfaces (UIs) that correspond to specific, codenamed, campaigns being operated by malicious\r\noperators.   \r\nOperation Celestial Force’s infection chains are:  \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 3 of 14\n\nGravityAdmin: Panel binaries administering the campaigns \r\nThe Panel binaries we analyzed consist of multiple versions with the earliest compiled in August 2021. The panel\r\nbinary asks for a user ID, password and campaign ID (from a drop-down menu) from the operator when it runs.  \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 4 of 14\n\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 5 of 14\n\nLogin screen for GravityAdmin titled “Bits Before Bullets.”\r\nWhen the operator clicks the login button, the executable will check if it is connected to the internet by sending a\r\nping request to www[.]google[.]com. Then, the user ID and password are authenticated with an authentication\r\nserver which sends back: \r\nA code to direct the panel binary to open the panel UI for the specified panel. \r\nAlso sends a value back via the HTTP “Authorization” Header. This value acts as an authentication token\r\nwhen communicating with campaign-specific[ C2 servers to load data such as a list of infected machines,\r\netc. \r\nA typical Panel screen will list the machines infected as part of the specific campaign. It also has buttons to trigger\r\nvarious malicious actions against one or more infected systems.  \r\nDifferent panels have different capabilities, however, some core capabilities are common across all campaigns. \r\nThe various campaigns configured in the Panel binaries are code named as: \r\n\"SIERRA\" \r\n\"QUEBEC\" \r\n\"ZULU\" \r\n\"DROPPER\" \r\n\"WORDDROPPER\" \r\n\"COMICUM\" \r\n\"ROCKAMORE\" \r\n\"FOXTROT\" \r\n\"CLOUDINFINITY\" \r\n\"RECOVERBIN\" \r\n\"CVSCOUT\" \r\n\"WEBBUCKET\" \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 6 of 14\n\n\"CRAFTWITHME\" \r\n\"SEXYBER\" \r\n\"CHATICO\" \r\nEach of the codenamed campaigns from the Panel binaries consists of its own infection mechanisms. For example,\r\n“FOXTROT,” “CLOUDINFINITY” and “CHATICO” are names given to all Android-based GravityRAT\r\ninfections whereas “CRAFTWITHME,” “SEXYBER” and “CVSCOUT” are named for attacks deploying\r\nHeavyLift. Our analysis correlates the campaigns listed above with the Operating Systems being targeted with\r\nrespective malware families. \r\nCampaign Name  Platform targeted and Malware Used \r\nSIERRA  Windows, GravityRAT \r\nQUEBEC  Windows, GravityRAT \r\nZULU  Windows, GravityRAT \r\nDROPPER / WORDDROPPER / COMICUM   Windows, GravityRAT \r\nROCKAMORE  Windows, GravityRAT \r\nFOXTROT / CLOUDINFINITY / RECOVERBIN / CHATICO     Android, GravityRAT \r\nCVSCOUT  Windows, HeavyLift \r\nWEBBUCKET / CRAFTWITHME  Windows, HeavyLift \r\nSEXYBER  Windows, HeavyLift \r\nMost campaigns consist of infrastructure overlaps between each other mostly to host malicious payloads or\r\nmaintain a list of infected systems. \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 7 of 14\n\nCampaigns using the domain \r\nGravityRAT: A multi-platform remote access trojan\r\nGravityRAT is a Windows-based remote access trojan first disclosed by Talos in 2018. GravityRAT was later\r\nported to the Android operating system to target mobile devices around 2019. Since 2019, we’ve observed a\r\ncontinuous addition of a multitude of capabilities in GravityRAT and its associated infrastructure. So far, we have\r\nobserved the use of GravityRAT exclusively by suspected Pakistani threat actors to target entities and individuals\r\nin India. There is currently no publicly available evidence to suggest that GravityRAT is a commodity/open-source\r\nmalware, suggesting its potential use by multiple, disparate threat actors. \r\nOur analysis of the entire ecosystem of Operation Celestial Force revealed that GravityRAT’s use in this campaign\r\nlikely began as early as 2016 and continues to this day. \r\nThe latest variants of GravityRAT are distributed through malicious websites, some registered and set up as late as\r\nearly January 2024, pretending to distribute legitimate Android applications. Malicious operators will distribute\r\nthe download links to their targets over social media channels asking them to download and install the malware. \r\nThe latest variants of GravityRAT use the previously mentioned code names to define the campaigns. The\r\nscreenshot below shows the initial registration of a victim into the C2, getting back a list of alternative C2 to be\r\nused, if needed.  \r\n The group uses Cloudflare service to hide the true location of their C2 servers.\r\nAfter registration, the trojan requests tasks to execute to the C2 followed by uploading a file containing the\r\ndevice's location.  \r\nThe trojan will use a different user-agent for each request — it's unclear if this is done on purpose, or if this\r\nanomaly is just the result of cut-and-paste code from other projects to tie together this trojan’s features.  \r\nGravityRAT requests the following permissions on the device for stealing information and housekeeping tasks. \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 8 of 14\n\nThese variants of GravityRAT are similar to previously disclosed versions from ESET and Cyble and consist of\r\nthe following capabilities: \r\n1. Send preliminary information about the device to the C2. This information includes IMEI, phone number,\r\nnetwork country ISO code, network operator name, SIM country ISO code, SIM operator name, SIM serial\r\nnumber, device model, brand, product and manufacturer, addresses surrounding the obtained longitude and\r\nlatitude of the device and the current build information, including release, host, etc. \r\n2. Read SMS data and content and upload to the C2. \r\n3. Read specific file formats and upload them to the C2. \r\n4. Read call logs and upload them to the C2. \r\n5. Obtain IMEI information including associated email ID and send it to C2. \r\n6. Delete all contacts, call logs and files related to the malware. \r\nHeavyLift: Electron-based malware loader\r\nSome of the campaigns in this operation use Electron-based malware loaders we’re calling “HeavyLift,” which\r\nconsist of JavaScript code communicating and controlled by C2 servers. These are the same C2 servers that\r\ninteract with GravityAdmin, the panel tool used by the operators to govern infected systems. HeavyLift is\r\nessentially a stage one malware component that downloads and installs other malicious implants whenever\r\navailable on the C2 server. HeavyLift bears some similarities with GravityRAT’s Electron versions disclosed\r\npreviously by Kaspersky in 2020. \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 9 of 14\n\nA HeavyLift infection begins with an executable masquerading as an installer for a legitimate application. The\r\ninstaller installs a dummy application but also installs and sets up a malicious Electron-based desktop application.\r\nThis malicious application is, in fact, HeavyLift and consists of JavaScript code that carries out malicious\r\noperations on the infected system. \r\nOn execution, HeavyLift will check if it is running on a macOS or Windows system. If it is running on macOS,\r\nand not running as root, it will execute with admin privileges using the command: \r\n /usr/bin/osascript -e 'do shell script \"bash -c \" _process_path \" with administrator privileges'\r\nIf it is running as root, it will set the default HTTP User-Agent to\r\n“M_9C9353252222ABD88B123CE5A78B70F6”, then get system info using the commands: \r\nsystem_profiler SPHardwareDataType | grep 'Model Name'\r\nsystem_profiler SPHardwareDataType | grep 'SMC'\r\nsystem_profiler SPHardwareDataType | grep 'Model Identifier'\r\nsystem_profiler SPHardwareDataType | grep 'ROM'\r\nsystem_profiler SPHardwareDataType | grep 'Serial Number'\r\nFor a Windows-based system, the HTTP User-Agent is set to “W_9C9353252222ABD88B123CE5A78B70F6”.\r\nThe malware will then obtain preliminary system information such as: \r\nProcessor ID \r\nMAC address \r\nInstalled anti-virus product name \r\nUsername \r\nDomain name \r\nPlatform information \r\nProcess, OS architecture \r\nAgent (hardcoded value) \r\nOS release number \r\nAll this preliminary information is sent to the hardcoded C2 server URL to register the infection with the C2. \r\nHeavyLift will then reach out to the C2 server to poll for any new payloads to execute on the infected system. A\r\npayload received from the C2 will be dropped to a directory in the “AppData” directory and persisted on the\r\nsystem. \r\nOn macOS, the payload is a ZIP file that is extracted, and the resulting binary persists using crontab via the\r\ncommand: \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 10 of 14\n\ncrontab -l 2\u003e/dev/null; echo ' */2 * * * * “_filepath_” _arguments_ ‘ | crontab -\r\nFor Windows, the payload received is an EXE file that persists on the system via a scheduled task. The malware\r\nwill create an XML file for the scheduled tasks with the payload path, arguments and working directory and then\r\nuse the XML to set up the schedtask: \r\nSCHTASKS /Create /XML \"_xmlpath_\" /TN \"_taskname_\" /F\r\nThe malware will then open the accompanying HTML file via web view to appear legitimate. \r\n In some cases, the malware will also perform anti-analysis checks to see if it’s running in a virtual environment.  \r\nIt checks for the presence of specific keywords before closing if there is a match: \r\nInnotek GmbH \r\nVirtualBox \r\nVMware \r\nMicrosoft Corporation \r\nHITACHI\r\nThese keywords are checked against model information, SMC, ROM and serial numbers on macOS and Windows\r\nagainst manufacturer information, such as product, vendor, processor and more. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below.  \r\n Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.  \r\n Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\n Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.  \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 11 of 14\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\n Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here. \r\nHeavyLift \r\n8e9bcc00fc32ddc612bdc0f1465fc79b40fc9e2df1003d452885e7e10feab1ee\r\nceb7b757b89693373ffa1c46dd96544bdc25d1a47608c2ea24578294bcf1db37 \r\n06b617aa8c38f916de8553ff6f572dcaa96e5c8941063c55b6c424289038c3a1 \r\nda3907cf75662c3401581a5140831f8b2520a4c3645257b3860c7db94295af88 \r\n838fd5d269fa09ef4f7e9f586b6577a9f46123a0af551de02de78501d916236d \r\n12d98137cd1b0cf59ce2fafbfe3a9c3477a42dae840909adad5d4d9f05dd8ede \r\n688c8e4522061bb9d82e4c3584f7ef8afc6f9e07e2374567755faad2a22e25b8 \r\n5695c1e5e4b381844a36d8281126eef73a9641a315f3fdd2eb475c9073c5f4da \r\n8d458fb59b6da20e1ba1658bb4a1f7dbb46d894530878e91b64d3c675d3d4516\r\nGravityRAT Android \r\n36851d1da9b2f35da92d70d4c88ea1675f1059d68fafd3abb1099e075512b45e \r\n4ebdfa738ef74945f6165e337050889dfa0aad61115b738672bbeda648a59dab \r\n1382997d3a5bb9bdbb9d41bb84c916784591c7cdae68305c3177f327d8a63b71 \r\nc00cedd6579e01187cd256736b8a506c168c6770776475e8327631df2181fae2 \r\n380df073825aca1e2fdbea379431c2f4571a8c7d9369e207a31d2479fbc7be88\r\nGravityAdmin \r\n63a76ca25a5e1e1cf6f0ca8d32ce14980736195e4e2990682b3294b125d241cf \r\n69414a0ca1de6b2ab7b504a507d35c859fc5a1b8e0b3cf0c6a8948b2f652cbe9 \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 12 of 14\n\n04e216f4780b6292ccc836fa0481607c62abb244f6a2eedc21c4a822bcf6d79f\r\nNetwork IOCs \r\n androidmetricsasia[.]com \r\ndl01[.]mozillasecurity[.]com \r\nofficelibraries[.]com \r\njavacdnlib[.]com \r\nwindowsupdatecloud[.]com \r\nwebbucket[.]co[.]uk \r\ncraftwithme[.]uk \r\nsexyber[.]net \r\nrockamore[.]co[.]uk \r\nandroidsdkstream[.]com \r\nplaystoreapi[.]net \r\nsdklibraries[.]com \r\ncvscout[.]uk \r\nzclouddrive[.]com \r\njdklibraries[.]com \r\ncloudieapp[.]net \r\nandroidadbserver[.]com \r\nandroidwebkit[.]com \r\nteraspace[.]co[.]in\r\nhxxps[://]zclouddrive[.]com/downloads/CloudDrive_Setup_1[.]0[.]1[.]exe \r\nhxxps[://]www[.]sexyber[.]net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1[.]0[.]0[.]zip \r\nhxxps[://]sexyber[.]net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1[.]0[.]0[.]zip \r\nhxxps[://]cloudieapp[.]net/cloudie[.]zip \r\nhxxps[://]sni1[.]androidmetricsasia[.]com/voilet/8a99d28c[.]php \r\nhxxps[://]dev[.]androidadbserver[.]com/jurassic/6c67d428[.]php \r\nhxxps[://]adb[.]androidadbserver[.]com/jurassic/6c67d428[.]php \r\nhxxps[://]library[.]androidwebkit[.]com/kangaroo/8a99d28c[.]php \r\nhxxps[://]ux[.]androidwebkit[.]com/kangaroo/8a99d28c[.]php \r\nhxxps[://]jupiter[.]playstoreapi[.]net/indigo/8a99d28c[.]php \r\nhxxps[://]moon[.]playstoreapi[.]net/indigo/8a99d28c[.]php \r\nhxxps[://]sni1[.]androidmetricsasia[.]com/voilet/8a99d28c[.]php \r\nhxxps[://]moon[.]playstoreapi[.]net/indigo/8a99d28c[.]php \r\nhxxps[://]moon[.]playstoreapi[.]net/indigo/8a99d28c[.]php \r\nhxxps[://]jre[.]jdklibraries[.]com/hotriculture/671e00eb[.]php  \r\nhxxps[://]jre[.]jdklibraries[.]com/hotriculture/671e00eb[.]php  \r\nhxxps[://]cloudinfinity-d4049-default-rtdb[.]firebaseio[.]com/ \r\nhxxps[://]dl01[.]mozillasecurity[.]com/ \r\nhxxps[://]dl01[.]mozillasecurity[.]com/Sier/resauth[.]php \r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 13 of 14\n\nhxxps[://]dl01[.]mozillasecurity[.]com/resauth[.]php/ \r\nhxxps[://]tl37[.]officelibraries[.]com/Sier/resauth[.]php \r\nhxxps[://]tl37[.]officelibraries[.]com/resauth[.]php/ \r\nhxxps[://]jun[.]javacdnlib[.]com/Quebec/5be977ac[.]php \r\nhxxps[://]dl01[.]mozillasecurity[.]com/resauth[.]php/ \r\nhxxps[://]dl01[.]mozillasecurity[.]com/MicrosoftUpdates/6efbb147[.]php \r\nhxxps[://]tl37[.]officelibraries[.]com/MicrosoftUpdates/741bbfe6[.]php \r\nhxxps[://]tl37[.]officelibraries[.]com/MsWordUpdates/c47d1870[.]php \r\nhxxps[://]dl01[.]windowsupdatecloud[.]com/opex/7ab24931[.]php \r\nhxxps[://]tl37[.]officelibraries[.]com/opex/13942BA7[.]php \r\nhxxp[://]dl01[.]windowsupdatecloud[.]com/opex/7ab24931[.]php \r\nhxxps[://]tl37[.]officelibraries[.]com/opex/13942BA7[.]php \r\nhxxps[://]download[.]rockamore[.]co[.]uk/m2c/m_client[.]php \r\nhxxps[://]api1[.]androidsdkstream[.]com/foxtrot/ \r\nhxxps[://]api1[.]androidsdkstream[.]com/foxtrot/61c10953[.]php \r\nhxxps[://]jupiter[.]playstoreapi[.]net/RB/e7a18a38[.]php \r\nhxxps[://]sdk2[.]sdklibraries[.]com/golf/c6cf642b[.]php \r\nhxxps[://]jre[.]jdklibraries[.]com/hotriculture/671e00eb[.]php \r\nhxxps://hxxp[://]api1[.]androidsdkstream[.]com/foxtrot//DataX/ \r\nhxxps[://]download[.]cvscout[.]uk/cvscout/cvstyler_client[.]php \r\nhxxps[://]download[.]webbucket[.]co[.]uk/webbucket/strong_client[.]php \r\nhxxps[://]www[.]craftwithme[.]uk/cwmb/craftwithme/strong_client[.]php \r\nhxxps[://]download[.]sexyber[.]net/sexyber/sexyberC[.]php \r\nhxxps[://]download[.]webbucket[.]co[.]uk/A0B74607[.]php \r\nhxxps[://]zclouddrive[.]com/system/546F9A[.]php \r\nhxxps[://]download[.]cvscout[.]uk/cvscout/ \r\nhxxps[://]download[.]cvscout[.]uk/c9a5e83c[.]php \r\nhxxps[://]zclouddrive[.]com/downloads/CloudDrive_Setup_1[.]0[.]1[.]exe \r\nhxxps[://]zclouddrive[.]com/system/clouddrive/ \r\nhxxps[://]www[.]sexyber[.]net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1[.]0[.]0[.]zip \r\nhxxps[://]sexyber[.]net/downloads/7ddf32e17a6ac5ce04a8ecbf782ca509/Sexyber-1[.]0[.]0[.]zip \r\nhxxps[://]download[.]sexyber[.]net/0fb1e3a0[.]php \r\nhxxps[://]www[.]craftwithme[.]uk/cwmb/d26873c6[.]php \r\nhxxps[://]download[.]teraspace[.]co[.]in/teraspace/ \r\nhxxps[://]download[.]teraspace[.]co[.]in/78181D14[.]php \r\nhxxps[://]www[.]craftwithme[.]uk/cwmb/craftwithme/ \r\nhxxps[://]download[.]webbucket[.]co[.]uk/webbucket/\r\nSource: https://blog.talosintelligence.com/cosmic-leopard/\r\nhttps://blog.talosintelligence.com/cosmic-leopard/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/cosmic-leopard/" ], "report_names": [ "cosmic-leopard" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "7fc3c743-5f3d-4c30-a388-5937abef3659", "created_at": "2024-06-20T02:02:09.693669Z", "updated_at": "2026-04-10T02:00:04.630596Z", "deleted_at": null, "main_name": "Cosmic Leopard", "aliases": [ "Cosmic Leopard", "Operation Celestial Force" ], "source_name": "ETDA:Cosmic Leopard", "tools": [ "GravityAdmin", "GravityRAT", "HeavyLift" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13e95b85660fcad514eaa2c737dbf4e6b9a69e7a.pdf", "text": "https://archive.orkl.eu/13e95b85660fcad514eaa2c737dbf4e6b9a69e7a.txt", "img": "https://archive.orkl.eu/13e95b85660fcad514eaa2c737dbf4e6b9a69e7a.jpg" } }