How Has Operation Celestial Force Evolved Across OSes?

In the shadows of cyberspace, Operation Celestial Force casts a long and ever-changing silhouette. Attributable to adversaries with ties to Pakistan, this advanced and persistent malware campaign illustrates a stark evolution in the ways cyber threats target and infiltrate systems. Since its inception in 2018, it has ceaselessly morphed, demonstrating the chilling adaptability and tenacity of modern-day malware tactics. As this treacherous campaign continues to extend its reach across various operating systems—from Windows to Android and macOS—the emerging dynamic of cybersecurity is clear: defense strategies must evolve swiftly to combat these advancing offensive maneuvers.

Unpacking the Genesis of Operation Celestial Force

Operation Celestial Force first made its mark with the moniker CosmicLy Leopard or SpaceCobra, engendering a fusion of crafty spear-phishing and social engineering that compromised a slew of targets, mainly across the Indian subcontinent. The malevolence behind these actions seems intricately designed, resonating with the methodologies of the notorious Transparent Tribe group. The campaign’s underpinnings reveal a well-orchestrated effort to erode trust and security, pinpointing the ceaseless sophistication these adversaries employ and setting the groundwork for an extensive and successful operation. This unwavering modus operandi not only showcases the determination of the threat actors but also foreshadows the evolutionary path the campaign would undertake.

Over the years, Operation Celestial Force has transcended beyond its initial stages. Initially aimed at surveilling its victims through compromised links, the operation has since cultivated a multifaceted approach to cyber espionage. The aggressors behind this campaign prove extremely adept at fostering trust, methodically seducing their targets into a false sense of security. This long con is still proving successful, with people inadvertently opening the doors to their digital lives, unaware that they’re inviting in an invisible adversary capable of extracting sensitive information with silent proficiency.

GravityRAT – The Multi-Platform Tool of Choice

A cornerstone of this campaign’s escalating threat lies with GravityRAT—a malware too versatile to be confined to just one operating system. Though originally cast as a tool within the Windows realm, its metamorphosis into Android and macOS terrains is a striking illustration of the campaign’s ambition. Masquerading as inconspicuous cloud storage, entertainment, and chat applications, GravityRAT creeps into the devices of selected individuals. Particularly alarming is its focus on military personnel, revealing the adversary’s strategic targeting, indicative of state-sponsored intelligence gathering. The operational shift of GravityRAT to a wider OS purview not only magnifies its reach but also embodies a major step forward in cyberwarfare, where the diversity of platforms is no longer a barrier.

The evolution of GravityRAT conveys a disturbing narrative; one where adversaries cloak their insidious intent behind everyday digital conveniences. The transformation of this malware from a Windows-exclusive agent to an across-the-board menace is a testament to the cunning of those behind Operation Celestial Force. They expertly forge weapons—that appear to users as benign applications—aimed at a previously inconceivable range of digital platforms. Their success at piercing through system defenses undetected, to mine a wealth of information, rings an alarm for the vulnerability of personal and professional data alike.

The Rise of HeavyLift in the Cyber Arsenal

Another cog in the expansive wheel of Operation Celestial Force is HeavyLift, a Windows malware loader now modified to threaten macOS systems as well. Leveraging the Electron platform, HeavyLift indicates the threat actor’s proficiency in integrating stealth and efficacy within its code. By employing deceit, attackers distribute the loader through what appear to be harmless installers, allowing it to burrow into systems and execute tasks at the behest of its remote command-and-control unit. The Electron-based pedigree of HeavyLift also nods to its predecessors documented by Kaspersky, affirming a lineage of tools designed for covert agendas.

HeavyLift is a formidable addition to this malicious ensemble, boasting capabilities that allow thorough infiltration of the host system’s metadata and providing a runway for additional payloads. Its progression to affect macOS is not just a widening of its operational scope but a clear signal of the campaign’s intention to adapt and overcome platform-based limitations. The agile nature of HeavyLift posits a worrisome outlook for the future trajectory of malware development, insinuating a silent and deadly precision with which cybersecurity paradigms may be targeted and undercut.

The Central Command – GravityAdmin

In the labyrinth of cyber threat operations, control is key—and GravityAdmin stands as the linchpin for Operation Celestial Force. Tasked with the orchestration of compromised systems, GravityAdmin flaunts bespoke user interfaces for campaigns like ‘FOXTROT’ and ‘CRAFTWITHME,’ demonstrating the methodical planning behind the operation’s complex structure. Since its estimated advent in August 2021, this command-and-control tool has fortified the architecture of the campaign, streamlining the management and intensifying the potency of these concurrent assaults.

GravityAdmin illustrates a pivotal enhancement to Operation Celestial Force’s effectiveness, enabling the seamless interaction with an intricate network of infected devices. Each UI variant cordons off a discrete slice of their orchestrated chaos, with the ‘FOXTROT’ attacks haunting Android users and ‘CRAFTWITHME’ entrapping Windows systems under the guise of HeavyLift. By managing these bifurcated operations under one sinister umbrella, GravityAdmin concretizes the campaign’s command structure, revealing glimpses into the intention and reach of its perpetrators.

The Implications of Evolving Multi-Platform Threats

In the digital underbelly, the enigmatic Operation Celestial Force looms large, its contours continually shifting. Linked to entities with Pakistani connections, this sophisticated and relentless cyberattack initiative marks a striking progression in digital threat tactics aimed at penetrating technological defenses. Since bursting onto the scene in 2018, it has been consistently evolving, showcasing the frightening flexibility and determination characteristic of contemporary malware strategies. With its tentacles spreading to touch a variety of platforms, including Windows, Android, and macOS, it’s a vivid reminder that to stay ahead, cyber defense methodologies need to be as dynamic and aggressive as the threats they’re up against. This complex web of online aggression underlines the hard truth: only the nimblest and most updated defense measures can hope to keep pace with such sophisticated cyber offensives.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged