Home Cyber Attack Operation Layover Malware Campaign Targeted Aviation Industry For Five Years

Operation Layover Malware Campaign Targeted Aviation Industry For Five Years

by Abeerah Hashim
Operation Layover malware campaign targeting aviation industry

Researchers have unveiled a serious malware campaign, dubbed “Operation Layover” that was found targeting the aviation industry for years. While the threat actor uses off-the-shelf malware, the addition of crypters makes the campaign difficult to detect.

Operation Layover Targeting Aviation Industry

In a recent report, researchers from Cisco Talos have shared insights about a sneaky malicious campaign targeting the airline sector.

Identified as “Operation Layover”, this malware campaign doesn’t employ any custom-made malware for the aviation industry. Rather the threat actor uses “other’s malware” but enhances the stealthiness by wrapping them in crypters. Again, the threat actor buys these crypters for this purpose.

This reliance on external resources makes the threat actor look unsophisticated. Nonetheless, still, the attacker managed to run such malicious campaigns for at least five years. Whereas, these campaigns have typically aimed at the aviation industry for the past two years. Though, the threat actor kept running other malicious campaigns as well.

Briefly, the researchers found the attacker spreading AsyncRAT and njRAT via spearphishing campaigns. The phishing emails mimic documents aimed at the aviation industry, thereby striving to hack the target organizations. If successful, such attacks can cause huge damages to the victim airlines.

Regarding the threat actor, the researchers believe him to have a Nigerian origin.

Nonetheless, nothing much can be confirmed about the threat actor since the attacker managed to remain under the radar due to small-scale attacks.

According to the researchers, these campaigns demonstrate how even devastating serious attacks can escape detection for years. As stated in their post,

These kinds of small operations tend to fly under the radar and even after exposure the actors behind them won’t stop their activity. They abandon the C2 hostnames — which in this case are free DNS-based and they may change the crypter and initial vector, but they won’t stop their activity. The black market for web cookies, tokens, and valid credentials is way too valuable when compared with the economy in their home countries for them to stop.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid