HeartlessSoul Espionage Campaign Targets Aviation Sector for Geospatial Data Theft
A sophisticated espionage group known as HeartlessSoul is targeting aviation and drone firms with custom malware to exfiltrate sensitive geospatial intelligence and navigation data.

A sophisticated cyber espionage group identified as "HeartlessSoul" is actively targeting aviation firms, drone operators, and aerospace organizations to exfiltrate sensitive geospatial and navigation data. According to Dark Reading, the campaign, which has been monitored by Kaspersky Lab since February 2026, focuses on harvesting Geographic Information System (GIS) files, GPS data, and digital geographic relief files. These assets provide adversaries with critical intelligence regarding infrastructure, terrain, and strategic assets, which can be leveraged for logistics disruption, asset tracking, and operational planning.
The threat actor employs a multi-stage infection chain characterized by high technical sophistication, including fileless execution and the use of malicious LNK files that exploit a Windows shortcut vulnerability tracked as ZDI-CAN-25373 Dark Reading. The group utilizes a combination of phishing and malvertising to deliver its payload. In one notable instance, HeartlessSoul hosted a malicious archive disguised as legitimate aviation software on the open-source platform SourceForge to lure unsuspecting users into downloading the malware.
Once a system is compromised, the attackers deploy a JavaScript-based remote access Trojan (RAT) and PowerShell scripts to maintain persistence and facilitate data exfiltration. Kaspersky Lab researchers note that the group’s activities, which date back to at least September 2025, are currently focused on targets within the Russian government and associated industrial enterprises Dark Reading. The exfiltrated data includes proprietary mapping files that reveal not only physical terrain but also the "operational ground truth"—the specific intelligence and assumptions held by the victim's own analysts.
Security experts emphasize that the targeting of GIS and aviation data represents a shift toward intelligence-collection efforts that support broader military and regional conflict objectives. By stealing this data, adversaries gain the ability to model gaps in a victim's situational awareness, effectively mapping out infrastructure and engineering networks that are vital to both state and industrial operations Dark Reading.
While the ultimate attribution of HeartlessSoul remains uncertain, the group’s tactics align with the sophisticated methodologies typically associated with nation-state actors. The campaign highlights a growing trend where geospatial intelligence has become a high-value target for espionage, moving beyond traditional financial or credential theft. Organizations operating in the aviation and drone sectors are advised to remain vigilant against suspicious software installers and to monitor for unauthorized use of PowerShell and JavaScript-based execution patterns within their environments.