{ "id": "36932f50-eef1-4ace-9a55-62f9d79543a5", "created_at": "2026-04-06T00:15:35.978357Z", "updated_at": "2026-04-10T03:36:50.34451Z", "deleted_at": null, "sha1_hash": "c03e6a1314ab937c4727cc8a2c7f8e42d90d0202", "title": "Cosmic Leopard, Operation Celestial Force", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49740, "plain_text": "Cosmic Leopard, Operation Celestial Force\r\nArchived: 2026-04-05 17:00:03 UTC\r\nHome \u003e List all groups \u003e Cosmic Leopard, Operation Celestial Force\r\n APT group: Cosmic Leopard, Operation Celestial Force\r\nNames\r\nCosmic Leopard (Talos)\r\nOperation Celestial Force (Talos)\r\nCountry Pakistan\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Talos) Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force”\r\nrunning since at least 2018. It is still active today, employing the use of GravityRAT, an\r\nAndroid-based malware, along with a Windows-based malware loader we track as\r\n“HeavyLift.”\r\nAll GravityRAT and HeavyLift infections are administered by a standalone tool we are calling\r\n“GravityAdmin,” which carries out malicious activities on an infected device. Analysis of the\r\npanel binaries reveals that they are meant to administer and run multiple campaigns at the\r\nsame time, all of which are codenamed and have their own admin panels.\r\nTalos attributes this operation with high confidence to a Pakistani nexus of threat actors we’re\r\ncalling “Cosmic Leopard,” focused on espionage and surveillance of their targets. This\r\nmultiyear operation continuously targeted Indian entities and individuals likely belonging to\r\ndefense, government and related technology spaces. Talos initially disclosed the use of the\r\nWindows-based GravityRAT malware by suspected Pakistani threat actors in 2018 — also\r\nused to target Indian entities.\r\nThe tactics, techniques, tooling and victimology of Cosmic Leopard contain some overlaps\r\nwith those of Transparent Tribe, APT 36, another suspected Pakistani APT group, which has a\r\nhistory of targeting high-value individuals from the Indian subcontinent. However, we do not\r\nhave enough technical evidence to link both the threat actors together for now, therefore we\r\ntrack this cluster of activity under the “Cosmic Leopard” tag.\r\nObserved Countries: India.\r\nTools used GravityAdmin, GravityRAT, HeavyLift.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6cfbd869-195e-4426-882d-b591268c32cb\r\nPage 1 of 2\n\nInformation Last change to this card: 19 June 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6cfbd869-195e-4426-882d-b591268c32cb\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6cfbd869-195e-4426-882d-b591268c32cb\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6cfbd869-195e-4426-882d-b591268c32cb" ], "report_names": [ "showcard.cgi?u=6cfbd869-195e-4426-882d-b591268c32cb" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "7fc3c743-5f3d-4c30-a388-5937abef3659", "created_at": "2024-06-20T02:02:09.693669Z", "updated_at": "2026-04-10T02:00:04.630596Z", "deleted_at": null, "main_name": "Cosmic Leopard", "aliases": [ "Cosmic Leopard", "Operation Celestial Force" ], "source_name": "ETDA:Cosmic Leopard", "tools": [ "GravityAdmin", "GravityRAT", "HeavyLift" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434535, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c03e6a1314ab937c4727cc8a2c7f8e42d90d0202.pdf", "text": "https://archive.orkl.eu/c03e6a1314ab937c4727cc8a2c7f8e42d90d0202.txt", "img": "https://archive.orkl.eu/c03e6a1314ab937c4727cc8a2c7f8e42d90d0202.jpg" } }