A cyber-espionage group has been targeting Russian government agencies and companies in the aviation industry to steal sensitive geospatial data, according to a report released this week. The group, known as **HeartlessSoul**, has been active since at least September 2025 and has carried out cyberattacks designed to infiltrate Russian organizations and individual users, researchers at Russian cybersecurity firm **Kaspersky** said. ### Targeted Data: Geospatial Information Systems (GIS) The attackers appear particularly interested in obtaining geographic information system (GIS) data – specialized file formats that can reveal detailed information about infrastructure such as roads, engineering networks, terrain and potentially strategic facilities. Such files are commonly used by engineering, government and industrial organizations and can contain detailed mapping data. “Analysis of the HeartlessSoul group’s activity shows a targeted interest by the attackers in enterprises within Russian industry with the aim of obtaining confidential data, particularly geospatial information,” the researchers said. ### Infection Vectors: Phishing and Malicious Advertising The hackers primarily gain access through phishing emails containing infected archive files. They also run malicious advertising campaigns that mimic websites offering software used in aviation systems, tricking victims into downloading infected installers. In some cases, the attackers created domains that imitated aviation-related resources and used them to distribute malware disguised as legitimate software. Once downloaded, the files automatically launch the infection process. Researchers also found that the group used the legitimate software hosting platform **SourceForge** to distribute malware. There, the attackers uploaded a fake version of GearUP, a service designed to improve connection quality in online games. Users searching for the tool could instead download a malicious archive that installed spyware. ### Malware Capabilities Once inside a victim’s device, the malware can collect extensive data, including screenshots, keystrokes, browser data and files stored on the system. It can also extract login credentials from the messaging app **Telegram** and determine the device’s location. ### Link to Goffee APT During their investigation, **Kaspersky** researchers also identified links between HeartlessSoul and another hacking group known as **Goffee**, which has previously targeted Russian systems and was known for stealing sensitive files from flash drives connected to infected computers. The overlap may indicate coordinated or related operations, **Kaspersky** said. ### Wider Targeting Scope? Although **Kaspersky** said the main target of HeartlessSoul’s recent campaign was the aviation industry, independent Russian cybersecurity analyst Oleg Shakirov said the malware described by the researchers was also distributed through files disguised as FPV drone simulators and tools designed to bypass restrictions on the satellite internet service **Starlink**. If confirmed, that could suggest the attacks were aimed not just at aviation companies but at drone operators, communications specialists or other military personnel, he wrote on his Telegram channel.