As cyber operations continue to support regional conflicts, threat groups are targeting a wider range of information, including geospatial mapping and global positioning systems (GPS) data that can be used to locate enemy assets and gather information on a rival’s own intelligence capabilities, cybersecurity firms warn.
One cyber espionage group has used specially crafted phishing and malvertising campaigns to target aerospace firms and drone operators by creating domains and sites that host malware that appears to be installers for legitimate aviation software and resources, according to Kaspersky Lab. The group, dubbed HeartlessSoul, even planted a fake project on SourceForge, a legitimate download service, that resulted in the downloading of a malicious archive.
The ultimate goal of the group appears to be collecting geospatial data and information from compromised systems, currently mainly belonging to the Russian government and enterprises, Kaspersky Lab tells Dark Reading.
“[T]his actor is a sophisticated one: combined multi-stage infection, fileless execution and the data the group targets, confirms that it is not just a hacktivist or criminal group, but a motivated group posing a serious threat to organizations,” the cybersecurity firm said in its response.
With several ongoing regional military conflicts and an increase in interference with global navigation satellite systems (GNSS), geospatial data has become a more common, if not popular, target for some threat groups. In 2024, for example, the cybercriminal hacker IntelBroker claimed to have breached Space-Eyes, a Miami-based geospatial intelligence firm, although analysts have cast doubt on some of the hacker’s claimed exploits. IntelBroker, later identified as British national Kai West, was arrested in June 2025.
The espionage campaigns show signs of sophistication and align with the concerns of nation-states, says Will Baxter, head of product for threat intelligence firm Team Cymru.
“The targeting of GIS, drone, and aviation data points to an intelligence-collection or defense-oriented angle, with downstream value across logistics disruption, infrastructure mapping, asset movement tracking, and operational planning,” he says. “The most under-appreciated value in GIS theft is operational ground truth — the adversary gets to see exactly what the victim’s own analysts believe about terrain, infrastructure, and routes, which lets them model gaps in the victim’s own awareness.”
Geospatial Files, Hidden Commands
Once the attackers gain access to databases and workstations used for GIS analysis, HeartlessSoul downloads a variety of common document types, but also some rather uncommon types, including GPS data, Geographic Information System (GIS) shape files, digital geographic relief files, and some proprietary GIS mapping files, Kaspersky Lab stated in its report (in Russian).
“Such GIS files … allow you to obtain information about infrastructure — roads, engineering networks, terrain, as well as strategic objects, and provide confidential data in engineering, state and industrial organizations,” the company stated (Google translated) in the analysis.
The attackers used a variety of common techniques in their efforts to compromise systems, including a JavaScript remote access Trojan (RAT) and PowerShell scripts for executing common tasks. Some of the malicious LNK files used a Windows shortcut exploit (ZDI-CAN-25373), which has become popular in advanced persistent threat (APT) campaigns.
Kaspersky Lab has monitored the group through compromised command-and-control infrastructure since at least February. The company traced the group’s earliest activities back to at least September 2025.
Attribution Uncertain
While no Western cybersecurity vendors have identified a group that matches HeartlessSoul, two other Russian cybersecurity firms — Positive Technologies and BI.ZONE — have documented the threat group, with the latter naming the group Versatile Werewolf. Two other threat groups, Paper Werewolf and Eagle Werewolf, also target drone-focused forums and chat channels, such as Telegram, as well as Russian citizens seeking to bypass restrictions on Starlink devices, according to a BI.ZONE analysis.
None of the three companies have publicly attributed the attacks. Paper Werewolf, also known as GOFFEE, appears to link to pro-Ukrainian groups, which initially targeted Russian defense contractors. BI.ZONE noted that the three groups, while given similar names and have adopted similar techniques, appear to be operating autonomously.
Defenders should focus on mounting a practical response, hunting for signs of the attackers, and find operational-security failures, Baxter says.
Additionally, companies and agencies that use GIS data should protect their crown jewels, focusing on putting specific assets such as flight-planning software behind zero-trust security measures like identity-bound access with egress monitoring, and segmenting engineering networks from general business networks, he says.
The business will benefits from reducing operation risk for the most critical systems, without forcing non-critical environments to bear the burden of zero trust for no significant benefit. “It’s an asymmetric investment in the small set of workstations that touch crown-jewel data,” Baxter says. “Most businesses need flexibility and scale, and a textbook zero-trust posture on every drone-operator or field workstation isn’t realistic.”
