Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit

Table of Content

• Introduction
• Key Targets
  • Industries Affected
  • Geographical focus
• Infection Chain
• Initial Findings
  • Looking into the Decoy Documents
• Technical Analysis
  • Stage 1 – Analysis of Malicious Executable
  • Stage 2 – Second stage payload dropper
• Infrastructure & Attribution
• Conclusion
• Seqrite Protection
• Indicators of Compromise (IOCs)
• MITRE ATT&CK Mappinga
• Authors

Introduction

SEQRITE Labs has been actively tracking emerging threats and recently identified a campaign targeting professionals and organizations in the Eurasian unmanned aviation sector. The campaign appears to be strategically timed to align with the XIII Eurasian International Forum “Unmanned Aviation 2026,” scheduled for April 23, 2026, in Moscow, a major international event focused on unmanned aerial systems (UAS).

The campaign distributes malicious suspected email attachments through spear phishing, delivering an archive named cai partner.zip. The archive contains a Rust-based executable disguised as a legitimate order confirmation document from the Russian Aeronautical Information Center (ЦАИ/CAI).

In the following sections, we will analyze the phishing lures used in this campaign, followed by a technical analysis of the malicious executable. We will also examine how the file downloads and executes a second-stage payload. Additionally, we will review the infrastructure and C2 communication used, and finally map the observed behavior to MITRE ATT&CK tactics and techniques.

Key Targets

Industries Affected

• Unmanned Aviation Systems (UAS/UAV) sector
• Aeronautical information services

Geographical focus

• Russia
• Tajikistan
• Central Asia
• Middle East & Europe

Infection Chain

Initial Findings

As we were investigating recent ongoing campaigns, we identified a suspicious ZIP file named cai partner (1).zip on the public sandbox, VirusTotal. In the initial observation, we saw that the file was submitted from Russia and had zero detections during it’s first surface against our hunting rules. However, the file name and its contents appeared suspicious, which drew our attention.

Further investigation led us to another archive named cai partner.zip, which serves as the primary carrier of both the lure documents and the malicious executable. Upon extracting the contents of this archive, we observed that it contains four files. One of these is a binary executable named “Подтверждение заказа продукции ЦАИ.exe”, which translates to “Confirmation of order of CAI products.exe”.

In addition to the executable, the archive includes multiple decoy documents such as a PDF, DOCX, and XLSX file, all designed to appear as legitimate business-related documents.

Looking into the Decoy Documents

PDF Lure Document

The first document that caught our attention is a PDF file extracted from the archive. The file is named Certificate of translation.PDF and is designed to appear as a legitimate certification document.

Upon looking into the document, it presents itself as an official translation certificate. It includes details such as document number, date, translator name, signature, and company information (SOMON TRANSLATIONS, Dushanbe, Tajikistan), along with stamps and seals to enhance its authenticity.

Therefore, by looking at the detailing of the document, including the use of multiple languages, formal structure, and official-looking stamps and signatures, it appears that the lure is designed to target professionals involved in international business or translation-related activities.

DOCX Lure Document

After analyzing the document, we found that this file, named Confirmation of CAICA products order and arrangement of a meeting at the Unmanned Aviation – 2026 forum to discuss payment details and sign a long-term contract.docx is similar to the document displayed to the victim immediately after the execution of the malicious executable.

We will analyze this document in detail in the next section, where we demonstrate how it is spawned by the executable during runtime.

XLSX Lure Document

The third document identified within the archive is an Excel file named summary_order_cai_final.xlsx

Upon analyzing the file, we observed that it contains a detailed list of aviation-related products, including navigation databases, NOTAM datasets, electronic AIP collections, and onboard systems for aircraft such as the Boeing 737. The document also specifies quantities, licensing details, update frequencies, and usage remarks, making it appear like a legitimate order summary.

The level of detail and use of industry-specific terminology suggests that this document is designed to target aviation professionals and organizations.

Technical Analysis

In this section, we will examine the technical analysis of the file extracted from the ZIP archive. The executable file which we found is named as Подтверждение заказа продукции ЦАИ.exe, which translates to “Order confirmation for CAI products.exe”

Upon reviewing the metadata using static analysis tools, we identified that this file is a 64-bit Windows executable compiled in the Rust programming language. We then proceeded to analyze the malicious functionality of the executable, which we have divided into two stages: The first stage focuses on the activities performed by the executable on the victim’s machine and the second stage covers how the executable downloads and drops a second-stage payload from a remote server depending on the threat actor, what it tries to download on the victim machines.

Stage 1 – Analysis of Malicious Executable

Upon initially looking into the malicious executable, we found that it performs executing a .docx file, which we discussed above, acting as one of a decoy, diverting victim’s attention.

Decoy Document Execution

We observed that a document is explicitly embedded within the executable. Immediately after execution, this document is displayed on the user’s screen to distract the victim and create the illusion of a benign application.

The lure document contains a business message content written in Russian, signed by “Olimov J.M.” It is designed to look like a real message from an aviation company involved in a long-term business deal.

It mentions aviation-related products such as Aerolotsia PRO licenses, NOTAM databases, AIP Russia and CIS, and aeronautical charts for aircraft like Boeing 737, IL-76, and Boeing 777F. It also includes tablet licenses. The level of detail, including license numbers and regions, makes the message appear very realistic.

It also mentions the upcoming event “Unmanned Aviation 2026” in Moscow on April 23, suggesting that the threat actor is specifically targeting Russian-speaking victims who may be attending the event.

System Fingerprinting

After executing the decoy document, the malware immediately begins collecting system information to build a unique victim profile.

The malware retrieves the machine hostname using GetComputerNameExW and the C: drive volume serial number using GetVolumeInformationW. These values are then XOR-combined and converted into a decimal string representation, forming a unique machine identifier for the victim’s system.

Environment & Network Reconnaissance

After creating a unique ID for the victim’s machine, the malware collects more information about the system and network. This step is handled by an internal module and focuses on both user and network details.

First, the malware gathers important environment variables:

• USER – the currently logged-in username
• USERDNSDOMAIN – the domain name
• COMPUTERNAME – the system hostname
• USERPROFILE – the user’s profile path

 

Next, the malware collects network information. It scans all network adapters using GetAdaptersAddresses and retrieves their IPv4 addresses. These IP addresses are converted into readable format using InetNtopW. It also collects adapter names and DNS-related information.

All this data is then organized and prepared to be sent to the command-and-control (C2) server.

Exfiltration

The malware collects all the victim’s information and converts it into a JSON format using a library called serde_json. It builds this JSON step by step, adding each piece of data as a key-value pair.

After creating the JSON data, the malware encrypts it using a simple XOR method. This encrypted data is then sent to the server After creating the JSON data, the malware encrypts it using a simple XOR method. This encrypted data is then sent to the server cdn[.]kleymarket[.]ru over HTTPS (port 443) using an HTTP POST request.

Stage 2 – Second stage payload dropper

In the second stage, we will cover the malware shifts from data collection to delivering the final payload. After receiving an encrypted response from the C2 server, the malware decrypts the payload using multi-step decryption algorithms, and extracts the payload. The malware then saves the payload with a random filename inside one of the directories and executes it on the victim machine.

Payload Decryption

The encrypted payload from the C2 server is decrypted in multiple steps. The malware first extracts two values from the server response, which are used as the AES key. It then decrypts the payload using AES-256 in blocks.

Payload Drop & Execution

After the decryption of the payload, the malware creates a random 6-character filename using letters and numbers, and adds the .exe extension. The malware writes the payload directly to disk using NtWriteFile. It saves the file either in one of these locations:

• %USERPROFILE%\Documents\<random>.exe
• C:\Users\Public\Documents\<random>.exe

Finally, the malware executes the decrypted payload using the CreateProcessA API. The full path to the dropped executable is passed directly as the command line, with no parent application name specified, launching a new process on the victim machine.

Now, in the next section, we will look into the infrastructure and attribution aspects of the campaign.

Infrastructure & Attribution

We analyzed the command-and-control (C2) infrastructure used in this campaign and found that the domain hxxp://kleymarket[.]ru was recently registered, just 9 days prior to our analysis. At the time of investigation, it was not flagged as malicious by any security vendors.

Passive DNS data reveals that the domain has resolved to multiple IP addresses over time, including:

45[.]142[.]36[.]76, 92[.]62[.]113[.]232, and 89[.]108[.]110[.]154

The most recent resolution, dated 2026-04-02, points to 45[.]142[.]36[.]76, which appears to be the active C2 server used in this campaign. In contrast, older records from 2019 indicate that the domain was previously used for other purposes before being reused for this activity.

Further analysis using Validin confirms that the domain and its associated subdomain resolve to the IP address 45[.]142[.]36[.]76, which appears to be the active C2 infrastructure used in this campaign. This IP is hosted under AS48347 (MTW-AS), a Russian autonomous system, with an approximate location in Moscow, Russia.

At the time of writing, we are not attributing this campaign to any known threat actor. However, the observed tactics, infrastructure, and social engineering elements suggest a well-planned and targeted operation. Given the campaign’s stealthy delivery mechanism and aviation-themed targeting, we have named this campaign as “Operation Silent Rotor”. The campaign appears to be carefully timed to align with the “Unmanned Aviation 2026” forum in Moscow, indicating a focus on aviation professionals who are likely to attend or be associated with the event.

Conclusion

SEQRITE Labs has identified a targeted spear phishing campaign affecting professionals in the Eurasian unmanned aviation sector. The campaign uses realistic aviation-related documents to gain the victim’s trust, with content linked to the “Unmanned Aviation 2026” forum in Moscow. The delivered malware is a Rust-based executable that collects system information, communicates with a remote server over encrypted HTTPS, and downloads a second-stage payload for execution.

The infrastructure used in this campaign is minimal and short-lived, relying on a newly registered .ru domain. At the time of writing, we are not attributing this campaign to any known threat actor. However, the use of Russian-language lures and context-specific content suggests that the campaign is regionally focused and targets victims within the same ecosystem.

Seqrite Protection

Trojan.Win64

Indicators of Compromise (IOCs)

Hash (SHA-256)	File
5936f42ffd7fa7896eeae725b60a5d26bbf3e5a84712671ef5da0138ee5d58f60	Подтверждение заказа продукции ЦАИ.exe
fdef9e489f773319f55f92f712d1b7b5447d59a632b8f4173d1b161d3759ad92	cai partner (1).zip
57e26f6e3b311a1064c946b69159ee05abedf9228b2f95c65536429e7ac7fb24	cai partner.zip
a7bd8869293212e1671df90d2d41b96d4933eb9408b1111bd830e111a91bb202	Certificate of translation.PDF
2064ef387ac9e51ba72b32004d99e8a0b291dbab24ed8db30f437abf1b40cb49	Confirmation of CAICA products order and arrangement of a meeting at the Unmanned Aviation – 2026 forum to discuss payment details and sign a long‑term contract.docx
89f8e42c825d09a0a50e99bbf7304d7037be33ea362a57d34f87fa7981f80126	summary_order_cai_final.xlsx

URLs

45[.]142[.]36[.]76

cdn[.]kleymarket[.]ru

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name
Initial Access	T1566.001	Phishing: Spearphishing Attachment
Execution	T1204.002	User Execution: Malicious File
Execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell
Execution	T1106	Native API
Defense Evasion	T1036.004	Masquerading: Match Legitimate Name or Location
Defense Evasion	T1027	Obfuscated Files or Information
Defense Evasion	T1140	Deobfuscate/Decode Files or Information
Discovery	T1082	System Information Discovery
Discovery	T1016	System Network Configuration Discovery
Discovery	T1033	System Owner/User Discovery
Discovery	T1083	File and Directory Discovery
Command and Control	T1071.001	Application Layer Protocol: Web Protocols
Command and Control	T1090.001	Proxy: Internal Proxy
Exfiltration	T1041	Exfiltration Over C2 Channel
Impact	T1105	Ingress Tool Transfer

Authors

Priya Patel

Rayapati Lakshmi Prasanna Sai