Researchers uncovered a spear-phishing campaign, dubbed Operation Layover, that has been targeting the aviation industry. The attacker is believed to be based in Nigeria.

What has happened?

The attackers are successfully running small campaigns for more than five years, out of which the last two years have been specifically focused on the aviation industry. They always used off-the-shelf malware in their operations.
  • According to researchers, the group remained under the radar using crypters available on cybercrime forums. The investigation started after a tweet from Microsoft described the AsyncRAT attack.
  • The spear-phishing messages use lure documents crafted to target the aviation or cargo industry. The documents pretend to be PDF files, although they lead to a VBScript file hosted on Google Drive.
  • The VBScript file eventually leads to the delivery of RATs such as AsyncRAT and njRAT. Both RATs are most widely used among cybercriminals. In addition, Cybergate RAT and a batch file are used to download and run other malware.

What makes them unstoppable

While the campaign has been active for five years, the evidence suggests that the threat actor has been active since 2013, and mostly involved in information stealing. Researchers claim that even exposing such campaigns won't bring their activity to halt.
  • In the ongoing campaign, attackers can change their attack vector and continue stealing from victims.
  • The information stolen by the attackers includes web cookies, tokens, and valid credentials, that are normally valuable in the dark web market. 
  • In such small campaigns, attackers usually abandon their C2 hostnames after being exposed.


Since these attacks are difficult to track, they are likely to continue in the near future. Organizations must understand that simple phishing attacks can have severe consequences, and hence, provide training to employees on how to spot spam emails before a catastrophe strikes.

Cyware Publisher