TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Сloud Security After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets by Nate Nelson May 7, 2026 5 Min Read Application Security 'TrustFall' Convention Exposes Claude Code Execution Risk 'TrustFall' Convention Exposes Claude Code Execution Risk by Jai Vijayan May 7, 2026 6 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Vulnerabilities & Threats Cyber Risk Cyberattacks & Data Breaches ICS/OT Security News Cyber Espionage Group Targets Aviation Firms to Steal Map Data The campaign quietly compromises aerospace and drone operators to exfiltrate GIS files, terrain models, and GPS data and gain a clear picture of adversaries' world view. Robert Lemos , Contributing Writer May 11, 2026 4 Min Read Source: DC Studio via Shutterstock As cyber operations continue to support regional conflicts, threat groups are targeting a wider range of information, including geospatial mapping and global positioning systems (GPS) data that can be used to locate enemy assets and gather information on a rival's own intelligence capabilities, cybersecurity firms warn. One cyber espionage group has used specially crafted phishing and malvertising campaigns to target aerospace firms and drone operators by creating domains and sites that host malware that appears to be installers for legitimate aviation software and resources, according to Kaspersky Lab. The group, dubbed HeartlessSoul, even planted a fake project on SourceForge, a legitimate download service, that resulted in the downloading of a malicious archive. The ultimate goal of the group appears to be collecting geospatial data and information from compromised systems, currently mainly belonging to the Russian government and enterprises, Kaspersky Lab tells Dark Reading. Related: Why Security Leadership Makes or Breaks a Pen Test "[T]his actor is a sophisticated one: combined multi-stage infection, fileless execution and the data the group targets, confirms that it is not just a hacktivist or criminal group, but a motivated group posing a serious threat to organizations," the cybersecurity firm said in its response. With several ongoing regional military conflicts and an increase in interference with global navigation satellite systems (GNSS) , geospatial data has become a more common, if not popular, target for some threat groups. In 2024, for example, the cybercriminal hacker IntelBroker claimed to have breached Space-Eyes , a Miami-based geospatial intelligence firm, although analysts have cast doubt on some of the hacker's claimed exploits. IntelBroker, later identified as British national Kai West, was arrested in June 2025 . The espionage campaigns show signs of sophistication and align with the concerns of nation-states, says Will Baxter, head of product for threat intelligence firm Team Cymru. "The targeting of GIS, drone, and aviation data points to an intelligence-collection or defense-oriented angle, with downstream value across logistics disruption, infrastructure mapping, asset movement tracking, and operational planning," he says. "The most under-appreciated value in GIS theft is operational ground truth — the adversary gets to see exactly what the victim's own analysts believe about terrain, infrastructure, and routes, which lets them model gaps in the victim's own awareness." Geospatial Files, Hidden Commands Related: How Dark Reading Lifted Off the Launchpad in 2006 Once the attackers gain access to databases and workstations used for GIS analysis, HeartlessSoul downloads a variety of common document types, but also some rather uncommon types, including GPS data, Geographic Information System (GIS) shape files, digital geographic relief files, and some proprietary GIS mapping files, Kaspersky Lab stated in its report (in Russian) . "Such GIS files ... allow you to obtain information about infrastructure — roads, engineering networks, terrain, as well as strategic objects, and provide confidential data in engineering, state and industrial organizations," the company stated (Google translated) in the analysis. The attackers used a variety of common techniques in their efforts to compromise systems, including a JavaScript remote access Trojan (RAT) and PowerShell scripts for executing common tasks. Some of the malicious LNK files used a Windows shortcut exploit (ZDI-CAN-25373) , which has become popular in advanced persistent threat (APT) campaigns. Kaspersky Lab has monitored the group through compromised command-and-control infrastructure since at least February. The company traced the group's earliest activities back to at least September 2025. Attribution Uncertain While no Western cybersecurity vendors have identified a group that matches HeartlessSoul, two other Russian cybersecurity firms — Positive Technologies and BI.ZONE — have documented the threat group, with the latter naming the group Versatile Werewolf. Two other threat groups, Paper Werewolf and Eagle Werewolf, also target drone-focused forums and chat channels, such as Telegram, as well as Russian citizens seeking to bypass restrictions on Starlink devices, according to a BI.ZONE analysis . Related: Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug None of the three companies have publicly attributed the attacks. Paper Werewolf, also known as GOFFEE , appears to link to pro-Ukrainian groups, which initially targeted Russian defense contractors. BI.ZONE noted that the three groups, while given similar names and have adopted similar techniques, appear to be operating autonomously. Defenders should focus on mounting a practical response, hunting for signs of the attackers, and find operational-security failures, Baxter says. Additionally, companies and agencies that use GIS data should protect their crown jewels, focusing on putting specific assets such as flight-planning software behind zero-trust security measures like identity-bound access with egress monitoring, and segmenting engineering networks from general business networks, he says. The business will benefits from reducing operation risk for the most critical systems, without forcing non-critical environments to bear the burden of zero trust for no significant benefit. "It's an asymmetric investment in the small set of workstations that touch crown-jewel data," Baxter says. "Most businesses need flexibility and scale, and a textbook zero-trust posture on every drone-operator or field workstation isn't realistic." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars Editor's Choice Threat Intelligence From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber by Dark Reading Editorial Team May 6, 2026 31 Min Read Cyber Risk Physical Cargo Theft Gets a Boost From Cybercriminals Physical Cargo Theft Gets a Boost From Cybercriminals by Robert Lemos May 4, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Wed, June 24,2026 at 1pm EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems Tues, May 26, 2026, at 1pm EST Anatomy of a Data Breach: What to Do if it Happens to You June 18th, 2026 |