{ "id": "23c9a9c4-2087-4507-b7b0-15122d42c249", "created_at": "2026-04-06T00:12:28.055979Z", "updated_at": "2026-04-10T03:36:47.988253Z", "deleted_at": null, "sha1_hash": "3514794afdcd3734b9f9a79087f9b103cd19bb5a", "title": "Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2029136, "plain_text": "Operation FlightNight: Indian Government Entities and Energy Sector\r\nTargeted by Cyber Espionage Campaign\r\nArchived: 2026-04-05 22:01:52 UTC\r\nExecutive Summary\r\nBeginning March 7th, 2024, EclecticIQ analysts identified an uncategorized threat actor that utilized a modified version of\r\nthe open-source information stealer HackBrowserData [1] to target Indian government entities and energy sector.  \r\nThe information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force.\r\nThe attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages,\r\nand cached web browser data after the malware's execution. EclecticIQ analysts dubbed the intrusion “Operation\r\nFlightNight” because each of the attacker-operated Slack channels was named “FlightNight”. \r\nAnalysts identified that multiple government entities in India have been targeted, including agencies responsible for\r\nelectronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian energy\r\ncompanies, exfiltrated financial documents, personal details of employees, details about drilling activities in oil and gas. \r\nIn total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid\r\nfurther intrusions into the Indian government's infrastructure. \r\nBehavioral similarities in the malware and the delivery technique's metadata strongly indicate a connection with an attack\r\nreported on January 17, 2024. [2] EclecticIQ analysts assess with high confidence that the motive behind these actions is\r\nvery likely cyber espionage.  \r\nEclecticIQ shared its findings with Indian authorities to assist in identifying the victims and helping the Incident Response\r\nprocess.  \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 1 of 11\n\nFigure 1 - Operation FlightNight in EclecticIQ Threat Intelligence Platform\r\n(click on image to open in separate tab).\r\nInvitation Letter Decoy Delivers Information Stealer  \r\nThe threat actor used a decoy PDF document, pretending it was an invitation letter from the Indian Air Force. This document\r\nwas delivered inside an ISO file, which contained the malware in an executable form. Additionally, a shortcut file (LNK)\r\nwas included to trick recipients into activating the malware. \r\nFigure 2 – Malware infection chain in Operation FlightNight. \r\nAfter victims mounted the ISO file, they encountered the LNK file invitation letter (Figure 3). It appeared to be a harmless\r\nPDF document due to its misleading PDF icon. Upon executing the LNK file, victims inadvertently executed a shortcut link\r\nthat activated the hidden malware [3]. The malware immediately began exfiltrating documents and cached web browser data\r\nfrom the victim's device to Slack channels. \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 2 of 11\n\nFigure 3 – Machine ID metadata in shortcut file (LNK). \r\nFigure 4 displays the decoy [3] document (Indian Air Force invitation) opened after the execution of LNK file. This strategy\r\naims to deceive individuals into believing they are accessing a genuine document, while allowing the malware to operate\r\ncovertly. EclecticIQ analysts observed the same PDF document in an attacker-controlled Slack channel where the stolen data\r\nwas stored. Analysts assess with high confidence that the PDF document was very likely stolen during a previous intrusion\r\nand was repurposed by the attacker. \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 3 of 11\n\nFigure 4 – Indian Air Force invitation decoy side\r\nwith information stealer payload. \r\nFigure 5 shows five different overlaps between Operation FlightNight and the Go-Stealer campaign that was previously\r\nobserved by researcher ElementalX2 on January 17, 2024 [2]. This comparison highlights specific areas of overlap between\r\nthe two different incidents, offering strong evidence that both campaigns are likely the work of the same threat actor\r\ntargeting Indian government entities. \r\nFigure 5 – Overlaps between new and earlier malware campaign.\r\nModified Version of HackBrowserData Utilized as Payload \r\nThe open-source post exploitation tool HackBrowserData has the capability to steal browser login credentials, cookies, and\r\nhistory (list of the targeted web browser can be seen in Appendix A). The threat actor implemented new functionalities, such\r\nas communication through Slack channels, document stealing, and malware obfuscation for the evasion.  \r\nFigure 6 shows code similarities between the original HackBrowserData in the GitHub repository [4] and the modified\r\nvariant that is used in Operation FlightNight. The right side of the image displays the modified version of the malware\r\nexecuting in verbose mode. While extracting cached browser data, it encountered error messages identical to those seen in\r\nthe original HackBrowserData.\r\nFigure 6 – Verbose mode in information stealer showing\r\ncode similarity with original HackBrowserData. \r\nThe malware creates a TXT file named Bkdqqxb.txt in the %TEMP% directory, and uses this file as a mutex to prevent\r\nmultiple instances from running on the same host. This file name, along with Web Browser names are stored in an encoded\r\nformat and it is decoded dynamically at the time of the malware's execution. \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 4 of 11\n\nFigure 7 – Decoded strings in debugger. \r\nThe cached web browser data was stored inside C:\\Users\\Public\\results.zip file path. This file was sent to attacker-controlled\r\nSlack channels via files.upload API method [5]. \r\nFigure 8 – ZIP file with browser data in CSV format -\r\nthe default format used by original HackBrowserData tool. \r\nDuring data exfiltration the malware is designed to target only specific file extensions, such as Microsoft Office documents\r\n(Word, PowerPoint, Excel), PDF files, and SQL database files on victim devices, very likely to increase the speed of the data\r\ntheft. The malware starts to upload identified documents to Slack channels and finalize data exfiltration. Figure 9 shows\r\nnetwork traffic during data upload to a Slack server. The threat actor uses the below structure to identify victims trough ID\r\nand username:  \r\nRandom-Victim-ID ~ File-Path-of-Stolen-Data \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 5 of 11\n\nFigure 9 – Network traffic during data exfiltration attempt.\r\nGathering Victimology from FlightNight Slack Channels \r\nThe malware code statically stores four Slack workspace and API keys for controlling the Slack bot communication.\r\nEclecticIQ analysts used that information to access the Slack channels and to dump messages containing exfiltrated data.\r\nThese messages contain a list of victims, file paths of the stolen data, timestamps, and unique URLs for downloading the\r\nstolen files. \r\nBefore sending the victim data, the malware tested connectivity over Slack workspaces via auth.test API method [6]. It will\r\nreturn True if successful and get further details about the attacker-operated Slack workspaces dynamically such as bot name,\r\nteam ID, user ID and bot ID. \r\nFigure 10 – URLs of the Slack workspaces and API token for bots.\r\nFigure 11 shows the details of one example of a Slack message sent by malware. \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 6 of 11\n\nFigure 11 – Example of the message content in\r\nFlightNight Slack channel.\r\nOpen-Source Offensive Tools Used in Cyber Espionage  \r\nOperation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage. This underscores the evolving landscape of cyber threats, wherein actors abuse widely\r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 7 of 11\n\nused open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment.\r\nHere is a breakdown of the key elements and their implications: \r\nModified Open-Source Offensive Tools: By modifying open-source tools, the attackers can use existing capabilities\r\nwhile customizing functionalities to fit their specific needs. This approach not only saves development time and\r\nresources but also makes it harder for security measures to detect and attribute the attack. \r\nUtilization of Slack Servers for Data Exfiltration: The actor abused Slack, a popular communication platform for\r\nbusinesses and teams, to steal data. By blending data exfiltration with legitimate Slack traffic, attackers effectively\r\ncamouflage their activities. This choice reflects a move to exploit the trust and ubiquity of Slack in professional\r\nenvironments, reducing the likelihood of detection. \r\nReduction of Development Time and Cost: The use of open-source tools and established platforms like Slack\r\nminimizes the need for extensive development and infrastructure setup, significantly reducing the cost and time\r\nrequired to launch an attack. This efficiency not only makes it easier for attackers to operate but also lowers the\r\nbarrier to entry for less skilled individuals to conduct attacks. \r\nImplications for Cybersecurity: The tactics used in Operation FlightNight and the Go-Stealer campaign highlight\r\nthe importance of intelligence sharing and developing strategies to counteract these evolving threats. Organizations\r\nshould enhance their security posture through continuous monitoring, adopting behavior-based detection\r\nmechanisms, and educating employees about phishing attacks.\r\nDetection \u0026 Mitigation Opportunities \r\nCaching of passwords and auto-completion of usernames used in web browser can be disabled from the Windows\r\nGroup Policy [7]. Also, two factor authentication (2FA) would prevent unauthenticated access after a potential\r\npassword exposure. \r\nISO mounting events can be detected by using Event ID 12 of the Microsoft-Windows-VHDMP-Operational logs or\r\nSIGMA rule “file_event_win_iso_file_recent” [8]. Windows Group Policy can be used to block any ISO mounting\r\nevents in specific devices.  \r\nEnable Command-Line Process Auditing to detect LNK file executions. LNK file execution often results in the\r\ncreation of a new process with a command line that includes the path to the LNK file and malware. \r\nRepetitive or large number of outbound network traffic to unknown Slack channels should be considered a network\r\nanomaly, affected devices and users should be contained from the network to avoid further data exfiltration. \r\nIOCs (Indicator of compromise) \r\nOperation FlightNight Camping \r\nSHA-256 Hash: \r\n4455ca4e12b5ff486c466897522536ad753cd459d0eb3bfb1747ffc79a2ce5dd \r\n69c3a92757f79a0020cf1711cda4a724633d535f75bbef2bd74e07a902831d59 \r\n0ac787366bb435c11bf55620b4ba671b710c6f8924712575a0e443abd9922e9f \r\nCommand and Control Servers: \r\nsolucionesgeofisicas.slack[.]com \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 8 of 11\n\nswiftrecruiters.slack[.]com \r\ntelcomprodicci.slack[.]com \r\nalfarabischoolgroup.slack[.]com \r\nGoStealer Camping \r\nSHA-256 Hash: \r\na811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36 \r\n4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7 \r\n4a287fa02f75b953e941003cf7c2603e606de3e3a51a3923731ba38eef5532ae \r\ndab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fb \r\nCommand and Control Server: \r\ntucker-group.slack[.]com \r\nMITRE TTPs\r\nExfiltration Over Web Service - T1567 \r\nSteal Web Session Cookie - T1539 \r\nBrowser Information Discovery - T1217 \r\nApplication Layer Protocol: Web Protocols - T1071.001 \r\nFile and Directory Discovery - T1083 \r\nPhishing: Spearphishing Link - T1566.002 \r\nMasquerading: Masquerade File Type - T1036.008 \r\nDeobfuscate/Decode Files or Information - T1140 \r\nUser Execution: Malicious File - T1204.002\r\nAppendix A \r\nList of the targeted web browser:  \r\nGoogle Chrome \r\nGoogle Chrome Beta \r\nChromium \r\nMicrosoft Edge \r\n360 Speed \r\nQQ \r\nBrave \r\nOpera \r\nOperaGX \r\nVivaldi \r\nYandex \r\nCocCoc \r\nFirefox \r\nFirefox Beta \r\nFirefox Dev \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 9 of 11\n\nFirefox ESR \r\nFirefox Nightly \r\nInternet Explorer  \r\nStructured Data\r\nFind this and other research in our public TAXII collection for easy use in your security\r\nstack: https://cti.eclecticiq.com/taxii/discovery.\r\nPlease refer to our support page for guidance on how to access the feeds.\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in\r\nAmsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe and the U.S. with decades of\r\nexperience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in\r\nWikiLoader Delivery Spikes in February 2024\r\n10 Steps to Building a Comprehensive CTI Practice\r\nAdvanced Cybercriminals Rapidly Diversify Cyberattack Channels Following Public Vulnerability Disclosure\r\nReferences\r\n[1] ᴍᴏᴏɴD4ʀᴋ, “HackBrowserData.” Apr. 28, 2023. Accessed: Apr. 28, 2023. [Online]. Available:\r\nhttps://github.com/moonD4rk/HackBrowserData  \r\n[2] “GoStealer: Golang-based credential stealer targets Indian Airforce Officials. | Dev | Disassemble | Debug.” Accessed:\r\nMar. 13, 2024. [Online]. Available: https://xelemental.github.io/Golang-based-credential-stealer-targets-Indian-Airforce-Officials/  \r\n[3] “VirusTotal - File - 64aff0e1f42f45458dcf3174b69d284d558f7dac24a902438e332e05d0d362ef.” Accessed: Mar. 15,\r\n2024. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/64aff0e1f42f45458dcf3174b69d284d558f7dac24a902438e332e05d0d362ef  \r\n[4] “HackBrowserData/browser/browser.go at ec10278f65c46a9834b4bd88ca2d1b359849feb1 ·\r\nmoonD4rk/HackBrowserData · GitHub.” Accessed: Mar. 19, 2024. [Online]. Available:\r\nhttps://github.com/moonD4rk/HackBrowserData/blob/ec10278f65c46a9834b4bd88ca2d1b359849feb1/browser/browser.go#L47\r\n \r\n[5] Slack, “files.upload API method,” Slack API. Accessed: Mar. 13, 2024. [Online]. Available:\r\nhttps://slack.com/methods/files.upload  \r\n[6] Slack, “auth.test API method,” Slack API. Accessed: Mar. 13, 2024. [Online]. Available:\r\nhttps://slack.com/methods/auth.test  \r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 10 of 11\n\n[7] “Secure Web Browsers by Group Policy Chrome, Firefox, OS X, MS Edge,” Delinea. Accessed: Mar. 19, 2024. [Online].\r\nAvailable: https://delinea.com/blog/securing-web-browsers-through-group-policy  \r\n[8] “sigma/rules/windows/file/file_event/file_event_win_iso_file_recent.yml at master · SigmaHQ/sigma · GitHub.”\r\nAccessed: Mar. 19, 2024. [Online]. Available:\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml  \r\nSource: https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nhttps://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign" ], "report_names": [ "operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3514794afdcd3734b9f9a79087f9b103cd19bb5a.pdf", "text": "https://archive.orkl.eu/3514794afdcd3734b9f9a79087f9b103cd19bb5a.txt", "img": "https://archive.orkl.eu/3514794afdcd3734b9f9a79087f9b103cd19bb5a.jpg" } }