Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Pakistan's 'Cosmic Leopard' Is Targeting India With RATs

Threat Actor Uses Admin Panel to Track Multiple Campaigns
Pakistan's 'Cosmic Leopard' Is Targeting India With RATs
Cisco Talos says a threat actor is dubbed "Cosmic Leopard" has targeted Indian officials with Trojans since 2016. (Image: Shutterstock)

A likely Pakistani cyberespionage operation has expanded its tool set since it first targeted Indian officials nearly a decade ago. That's probable evidence the threat actor has "seen a high degree of success," said researchers from Cisco Talos.

See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots

The threat intelligence division of the networking manufacturer said Thursday that a threat actor it dubbed "Cosmic Leopard" is the source of Trojans infecting Windows and Android devices in a multiyear, multi-campaign effort it calls Operation Celestial Force.

The threat actor since 2021 has used custom-built panel binaries Talos calls GravityAdmin to manage campaigns. Cosmic Leopard overlaps with a known group tracked as Transparent Tribe, APT36 and Mythic Leopard - but Talos said that "for now" it doesn't have enough technical evidence to link the threat actors. Talos said it attributes with high confidence Cosmic Leopard's nexus with Pakistan.

Pakistani cyberespionage against India - the countries have been militant rivals since the acrimonious partition of British India in 1947 and a continuing dispute over the sovereignty of Kashmir - is concentrated against government and military agencies and the defense industrial base, but it has expanded into other sectors such as education (see: APT36 Running Espionage Ops Against India's Education Sector).

The initial infection vector of Pakistani espionage Trojans tends to be spear-phishing emails containing infected documents and other social engineering tactics. Cosmic Leopard's main tools are Windows and Android malware called GravityRAT, a previously known Windows-based loader named HeavyLift and the GravityAdmin administration tool.

HeavyLift allows hackers to download and install additional malicious implants on a victim's device. Researchers said the malware is similar to Electron software framework GravityRAT variants discovered by Kaspersky in 2020.

Cosmic Leopard began operations as far back as 2016 with GravityRAT, malware first identified by Talos in 2018. The threat actor created Android versions of the Trojan around 2019. "So far, we have observed the use of GravityRAT exclusively by suspected Pakistani threat actors to target entities and individuals in India."

Eset said last year that a Pakistan-based group it tracks as SpaceCobra used an updated version of Android GravityRAT spyware to steal WhatsApp backup files and delete files on victim devices. The group disguised the malware as popular chat applications Bing Chat and Chatico.

Cosmic Leopard's latest infection method to distribute the Trojan is through malicious websites, "some registered and set up as late as early January 2024," that putatively distribute legitimate Android apps. Some variants of the malware contain codenames used to track campaigns in GravityAdmin.

GravityAdmin users have access to a list of machines infected as part of a campaign. "It also has buttons to trigger various malicious actions against one or more infected systems," Talos said. Analysis of the platform showed that the threat actor used domains including and to distribute GravityRAT and HeavyLift.

An infection vector gaining traction within Cosmic Leopard is to contact targets over social media and establish trust before sending a malicious link to download malware.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.