Operation FlightNight refers to a cyber espionage campaign that targeted Indian government entities and the energy sector. The attackers used a modified version of the open-source information stealer HackBrowserData, delivered via a phishing email disguised as an invitation letter from the Indian Air Force. The malware was distributed inside an ISO file containing an executable and a shortcut file (LNK) designed to trick recipients into activating the malware. Once executed, the malware began exfiltrating documents and cached web browser data to Slack channels named “FlightNight.” EclecticIQ analysts identified the campaign and shared their findings with Indian authorities to assist in the incident response process. The campaign exfiltrated 8.81 GB of data, and analysts assess with high confidence that the motive behind these actions is likely cyber espionage.

⚠ Threat Actor/Threat Group: Not mentioned.

⚠ Malware: HackBrowserData (modified version)

⚠ Targeted Countries: India

⚠ Targeted Industries: Government, Energy

⚠ Specific Applications/CVEs: No specific applications or CVEs mentioned.

 ⚠ Impact: Data Exfiltration, Cyber Espionage  

⚠ MITRE TTP IDs: T1567, T1539, T1217, T1071.001, T1083, T1566.002, T1036.008, T1140, T1204.002

📌 Indian government entities and energy companies have been targeted by hackers with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and collect sensitive information.

📌 This campaign which was discovered in early March by EclecticIQ researcher and was codenamed Operation FlightNight in reference to the Slack channels operated by the adversary.

📌 Information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force.

📌 The attack chain starts with a phishing message containing an ISO file (“invite.iso”), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary (“scholar.exe”) present within the mounted optical disk image.

📌 Simultaneously, lure PDF file that claims to be an invitation letter from the Indian Air Force is displayed to the victim while the malware secretly harvests documents and cached webbrowser data and transmits them to an actor-controlled Slack channel named FlightNight.

📌 This malware is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.

⭕ ⭕ The threat actor is said to have successfully compromised private energy companies, harvesting financial documents, personal details of employees, details about drilling activities in oil and gas.

⭕ ⭕ Around 8.81 GB of data has been exfiltrated over the course of the campaign.

May connect at cert-in@primeinfoserv.com for any queries