Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit
Operation Silent Rotor is a medium-severity spear phishing campaign targeting professionals in the Eurasian unmanned aviation sector. The attack coincides with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow and uses malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware collects system information and exfiltrates it encrypted to a command-and-control server over HTTPS. It then downloads and executes a second-stage payload using AES-256 decryption. The campaign employs realistic aviation-themed social engineering to compromise victims across Russia, Tajikistan, Central Asia, the Middle East, and Europe.
AI Analysis
Technical Summary
This campaign delivers Rust-based malware via spear phishing emails targeting the unmanned aviation sector in Eurasia, timed with a major aviation forum in Moscow. The initial payload is disguised as legitimate aviation documents in Russian and collects system details such as hostnames, volume serial numbers, network adapter info, and environment variables. Data is encrypted with XOR and exfiltrated over HTTPS to a C2 server. Subsequently, a second-stage payload is downloaded and decrypted using AES-256 for execution. The attack uses multi-stage payloads and advanced social engineering with aviation order documents, translation certificates, and product summaries to increase credibility and target professionals in Russia, Tajikistan, Central Asia, the Middle East, and Europe.
Potential Impact
The malware collects sensitive system information and exfiltrates it to an attacker-controlled server, potentially enabling further compromise through the downloaded second-stage payload. The campaign targets critical sectors related to unmanned aviation, which could impact operational security and confidentiality. No known exploits in the wild or direct destructive payloads are reported at this time.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Organizations in the unmanned aviation sector should increase awareness of spear phishing threats, especially those timed with industry events. Users should be cautious of unsolicited emails containing archives or executables, even if they appear to be legitimate aviation documents. Network defenses should monitor for unusual HTTPS traffic to suspicious domains such as kleymarket.ru and related IP addresses. Incident response teams should use the provided indicators of compromise (hashes, IPs, domains) to detect and block this malware. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- hash: 2064ef387ac9e51ba72b32004d99e8a0b291dbab24ed8db30f437abf1b40cb49
- hash: 57e26f6e3b311a1064c946b69159ee05abedf9228b2f95c65536429e7ac7fb24
- hash: 89f8e42c825d09a0a50e99bbf7304d7037be33ea362a57d34f87fa7981f80126
- hash: a7bd8869293212e1671df90d2d41b96d4933eb9408b1111bd830e111a91bb202
- hash: fdef9e489f773319f55f92f712d1b7b5447d59a632b8f4173d1b161d3759ad92
- ip: 45.142.36.76
- ip: 89.108.110.154
- ip: 92.62.113.232
- url: http://kleymarket.ru
- domain: kleymarket.ru
- domain: cdn.kleymarket.ru
Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit
Description
Operation Silent Rotor is a medium-severity spear phishing campaign targeting professionals in the Eurasian unmanned aviation sector. The attack coincides with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow and uses malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware collects system information and exfiltrates it encrypted to a command-and-control server over HTTPS. It then downloads and executes a second-stage payload using AES-256 decryption. The campaign employs realistic aviation-themed social engineering to compromise victims across Russia, Tajikistan, Central Asia, the Middle East, and Europe.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign delivers Rust-based malware via spear phishing emails targeting the unmanned aviation sector in Eurasia, timed with a major aviation forum in Moscow. The initial payload is disguised as legitimate aviation documents in Russian and collects system details such as hostnames, volume serial numbers, network adapter info, and environment variables. Data is encrypted with XOR and exfiltrated over HTTPS to a C2 server. Subsequently, a second-stage payload is downloaded and decrypted using AES-256 for execution. The attack uses multi-stage payloads and advanced social engineering with aviation order documents, translation certificates, and product summaries to increase credibility and target professionals in Russia, Tajikistan, Central Asia, the Middle East, and Europe.
Potential Impact
The malware collects sensitive system information and exfiltrates it to an attacker-controlled server, potentially enabling further compromise through the downloaded second-stage payload. The campaign targets critical sectors related to unmanned aviation, which could impact operational security and confidentiality. No known exploits in the wild or direct destructive payloads are reported at this time.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Organizations in the unmanned aviation sector should increase awareness of spear phishing threats, especially those timed with industry events. Users should be cautious of unsolicited emails containing archives or executables, even if they appear to be legitimate aviation documents. Network defenses should monitor for unusual HTTPS traffic to suspicious domains such as kleymarket.ru and related IP addresses. Incident response teams should use the provided indicators of compromise (hashes, IPs, domains) to detect and block this malware. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/"]
- Adversary
- null
- Pulse Id
- 69fb57e600c03f5a6ac63de0
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2064ef387ac9e51ba72b32004d99e8a0b291dbab24ed8db30f437abf1b40cb49 | — | |
hash57e26f6e3b311a1064c946b69159ee05abedf9228b2f95c65536429e7ac7fb24 | — | |
hash89f8e42c825d09a0a50e99bbf7304d7037be33ea362a57d34f87fa7981f80126 | — | |
hasha7bd8869293212e1671df90d2d41b96d4933eb9408b1111bd830e111a91bb202 | — | |
hashfdef9e489f773319f55f92f712d1b7b5447d59a632b8f4173d1b161d3759ad92 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.142.36.76 | — | |
ip89.108.110.154 | — | |
ip92.62.113.232 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://kleymarket.ru | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainkleymarket.ru | — | |
domaincdn.kleymarket.ru | — |
Threat ID: 69fc528acbff5d8610c7336e
Added to database: 5/7/2026, 8:51:22 AM
Last enriched: 5/7/2026, 9:06:31 AM
Last updated: 5/7/2026, 2:29:25 PM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.