Cosmic Leopard

"Cosmic Leopard" is a threat actor that has been targeting Indian officials with Trojans since 2016, according to Cisco Talos. The group began its operations using GravityRAT, a malware first identified by Talos in 2018. Cosmic Leopard's main tools include Windows and Android malware called GravityRAT, a known Windows-based loader named HeavyLift, and the GravityAdmin administration tool. Despite the overlap with other known groups such as Transparent Tribe, APT36, and Mythic Leopard, Talos stated that there isn't enough technical evidence yet to link these threat actors definitively. However, with high confidence, Talos attributes a nexus between Cosmic Leopard and Pakistan. Cosmic Leopard has been involved in multiyear, multicampaign efforts dubbed "Operation Celestial Force," leading to the infection of Windows and Android devices through Trojans. One of the emerging infection vectors used by this group involves contacting targets over social media, establishing trust, and then sending a malicious link to download malware. In recent times, Cosmic Leopard has also employed a new method of distributing their Trojan through malicious websites, some of which were registered and set up as recently as early January 2024, under the guise of distributing legitimate Android apps. The cybersecurity landscape continues to be complex and dynamic, with entities like Cosmic Leopard posing significant threats. Countries like Pakistan and China frequently target Indian organizations in cyber operations, with recent activities from Cosmic Leopard being a case in point. As the threat intelligence division of a networking manufacturer, Cisco Talos plays a crucial role in identifying and tracking such threat actors, thereby contributing to the broader effort to safeguard digital assets and infrastructure.