HeartlessSoul Cyber-Espionage Group Targets Russian Aviation Firms for Geospatial Data Theft
A cyber-espionage group known as HeartlessSoul has been targeting Russian aviation companies and government agencies since September 2025 to steal sensitive geographic information system (GIS) data, including satellite and GPS mapping.
A cyber-espionage group known as HeartlessSoul has been targeting Russian aviation companies and government agencies since at least September 2025, according to a report from Kaspersky. The attackers are primarily interested in stealing geographic information system (GIS) data, which includes detailed mapping of infrastructure such as roads, engineering networks, terrain, and potentially strategic facilities. Such data is commonly used by engineering, government, and industrial organizations.
The group gains initial access through phishing emails containing infected archive files. They also run malicious advertising campaigns that mimic websites offering software used in aviation systems, tricking victims into downloading infected installers. In some cases, the attackers created domains that imitated aviation-related resources and used them to distribute malware disguised as legitimate software. Once downloaded, the files automatically launch the infection process.
Researchers also found that the group used the legitimate software hosting platform SourceForge to distribute malware. There, the attackers uploaded a fake version of GearUP, a service designed to improve connection quality in online games. Users searching for the tool could instead download a malicious archive that installed spyware.
Once inside a victim's device, the malware can collect extensive data, including screenshots, keystrokes, browser data, and files stored on the system. It can also extract login credentials from the messaging app Telegram and determine the device's location. The malware is designed to be stealthy and persistent, allowing long-term access to compromised systems.
During their investigation, Kaspersky researchers identified links between HeartlessSoul and another hacking group known as Goffee, which has previously targeted Russian systems and was known for stealing sensitive files from flash drives connected to infected computers. The overlap may indicate coordinated or related operations, Kaspersky said.
Although Kaspersky said the main target of HeartlessSoul's recent campaign was the aviation industry, independent Russian cybersecurity analyst Oleg Shakirov noted that the malware was also distributed through files disguised as FPV drone simulators and tools designed to bypass restrictions on the satellite internet service Starlink. If confirmed, that could suggest the attacks were aimed not just at aviation companies but at drone operators, communications specialists, or other military personnel.
The campaign highlights the growing interest of cyber-espionage groups in geospatial data, which can be used for strategic planning, targeting, and intelligence gathering. The use of multiple infection vectors, including phishing, malicious ads, and fake software on legitimate platforms, demonstrates the group's sophistication and resources. Organizations in the aviation and defense sectors should remain vigilant and implement robust security measures to protect sensitive data.