A sophisticated threat actor has been targeting Indian government entities and the energy sector as part of a recent cyber espionage campaign.

Dubbed “Operation FlightNight,” the campaign was first observed on March 7, 2024, by analysts at cybersecurity firm EclecticIQ.

The operation employed a modified version of the open-source information stealer, HackBrowserData. According to the researchers, the framework has been updated with new functionalities, such as communication via Slack channels and document exfiltration.

The attack vector involved phishing emails posing as official invitations from the Indian Air Force containing malware disguised as a harmless PDF document contained within an ISO file. Upon execution of a shortcut link (LNK) within the ISO file, the malware initiated the data exfiltration process.

EclecticIQ found that the attacker operated within Slack channels, dubbing each channel “FlightNight.” These channels served as exfiltration points for stolen data, which included confidential government documents, private email correspondence, and cached web browser data. The targeted entities spanned various government agencies responsible for electronic communications, IT governance, and national defense.

Additionally, private Indian energy companies fell victim to the intrusion, with financial documents and sensitive operational details compromised.

The researchers said that the threat actor was able to exfiltrate 8.81 GB of data, including information that could facilitate further intrusions into critical government infrastructure.