Cybersecurity firms have warned that modern cyber warfare is evolving rapidly, with threat groups increasingly targeting geospatial mapping systems and GPS data as part of regional conflicts. The stolen information can be used to pinpoint enemy infrastructure, track critical assets, and assess the intelligence strengths and weaknesses of opposing nations. Researchers note that these operations highlight how cyberattacks are becoming deeply integrated with broader military and espionage activities. 

According to Kaspersky, the cyber espionage group HeartlessSoul has been targeting aerospace firms and drone operators using carefully designed phishing campaigns and malicious online advertisements. The attackers set up fraudulent websites and domains that appeared to offer trusted aviation tools and resources, but instead delivered malware to victims’ systems. Investigators also discovered that the group abused SourceForge by hosting a fake project that secretly distributed a malicious compressed archive. 

The rise in regional armed conflicts and growing disruptions involving global navigation satellite systems (GNSS) have made geospatial intelligence data an attractive target for cybercriminals and espionage groups. Researchers say attackers are increasingly focusing on mapping and satellite-related information that could support surveillance and military objectives. One notable example came in 2024, when hacker IntelBroker alleged a breach of Space-Eyes, though analysts have expressed skepticism regarding some of the threat actor’s past breach claims. 

Kaspersky revealed in its Russian-language report that the HeartlessSoul cyber espionage group steals both standard documents and highly specialized geospatial files after compromising GIS analysis systems and databases. The attackers reportedly download GPS datasets, GIS shape files, digital terrain and relief files, as well as proprietary mapping formats used in advanced geographic analysis, indicating a focused effort to collect sensitive geospatial intelligence.  

"Such GIS files ... allow you to obtain information about infrastructure — roads, engineering networks, terrain, as well as strategic objects, and provide confidential data in engineering, state and industrial organizations," the company stated (Google translated) in the analysis. 

To infiltrate systems, the threat actors employed a combination of common attack methods such as JavaScript remote access Trojans (RATs) and PowerShell scripts designed to automate and execute malicious tasks. Investigators noted that certain malicious LNK files leveraged the Windows shortcut exploit known as ZDI-CAN-25373, a technique that has gained popularity among sophisticated APT groups in recent cyber espionage operations.