Introduction to HeartlessSoul Cyber Espionage
A cyber-espionage group, known as HeartlessSoul, has been targeting Russian government agencies and companies in the aviation industry to steal sensitive geospatial data, according to a report released by Kaspersky, a Russian cybersecurity firm.
The group has been active since at least September 2025 and has carried out cyberattacks designed to infiltrate Russian organizations and individual users. The attackers appear particularly interested in obtaining geographic information system (GIS) data, which can reveal detailed information about infrastructure such as roads, engineering networks, terrain, and potentially strategic facilities.
Tactics and Techniques of HeartlessSoul
The hackers primarily gain access through phishing emails containing infected archive files. They also run malicious advertising campaigns that mimic websites offering software used in aviation systems, tricking victims into downloading infected installers.
In some cases, the attackers created domains that imitated aviation-related resources and used them to distribute malware disguised as legitimate software. Once downloaded, the files automatically launch the infection process.
Researchers also found that the group used the legitimate software hosting platform SourceForge to distribute malware. There, the attackers uploaded a fake version of GearUP, a service designed to improve connection quality in online games.
Users searching for the tool could instead download a malicious archive that installed spyware. Once inside a victim’s device, the malware can collect extensive data, including screenshots, keystrokes, browser data, and files stored on the system.
Data Collection and Exfiltration
The malware can also extract login credentials from the messaging app Telegram and determine the device’s location. This suggests that the attackers are interested in gathering sensitive information that could be used for future cyberattacks or espionage activities.
Links to Other Hacking Groups
During their investigation, Kaspersky researchers also identified links between HeartlessSoul and another hacking group known as Goffee, which has previously targeted Russian systems and was known for stealing sensitive files from flash drives connected to infected computers.
The overlap may indicate coordinated or related operations, Kaspersky said. This raises concerns about the potential for future cyberattacks and the need for increased cybersecurity measures to protect against these threats.
Potential Targets and Motivations
Although Kaspersky said the main target of HeartlessSoul’s recent campaign was the aviation industry, independent Russian cybersecurity analyst Oleg Shakirov said the malware described by the researchers was also distributed through files disguised as FPV drone simulators and tools designed to bypass restrictions on the satellite internet service Starlink.
If confirmed, that could suggest the attacks were aimed not just at aviation companies but at drone operators, communications specialists, or other military personnel. This highlights the need for increased awareness and cybersecurity measures across various industries and sectors.
The motivations behind HeartlessSoul’s cyber espionage activities are not entirely clear, but it is likely that the group is seeking to gather sensitive information that could be used for future cyberattacks or espionage activities.
Conclusion
The HeartlessSoul cyber espionage group poses a significant threat to Russian government agencies and companies in the aviation industry. The group’s tactics and techniques, including phishing emails and malicious advertising campaigns, highlight the need for increased awareness and cybersecurity measures to protect against these threats.
As the cyber threat landscape continues to evolve, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against cyber espionage activities. This includes implementing robust cybersecurity measures, conducting regular security audits, and providing employees with cybersecurity training and awareness programs.
Source: The Record