Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign
Summary:
BlackBerry researchers uncovered a sophisticated, highly targeted espionage campaign against the Pakistan Navy, active from mid-2023 through at least September 2024. The intrusion began with a convincingly forged PDF designed to mimic an internal IT memo about integrating Axigen Thunderbird email services. This lure redirected victims to a typosquatted “paknavy” domain, which delivered a malicious Thunderbird extension. Once installed, the extension harvested credentials from legitimate “@paknavy.gov.pk” email users and communicated with attacker-controlled infrastructure. After credential theft, Windows systems received a stealthy infostealer known as Sync-Scheduler, capable of evasion, persistence through deceptive scheduled tasks, and exfiltration of sensitive documents using obfuscated techniques and encrypted logging. Additional artifacts, including reverse-shell malware (“Black-Shell”), older Pakistan-targeted lure documents, and earlier malicious Thunderbird extensions, show the campaign has been iterative, well-resourced, and tightly focused on military entities. Infrastructure overlaps, execution chains, and TTP similarities suggest possible links to SideWinder or APT Bitter, but evidence remains insufficient for definitive attribution. Overall, the operation demonstrates a patient, targeted effort to harvest sensitive Pakistan Navy communications and documents for espionage purposes.
Security Officer Comments:
This campaign reflects hallmarks of a mature, regionally focused espionage actor with deep familiarity with Pakistan Navy systems, particularly Thunderbird, Axigen mail servers, and internal workflows. The custom user manuals, tailored email-signing extensions, and precise branding demonstrate extensive reconnaissance and the intent to build trust with a small, high-value audience. Sync-Scheduler’s development timeline, overlapping codebases, and multiple related malware components show ongoing investment into a modular toolset designed for long-term stealth rather than smash-and-grab operations. The dual use of both infostealing and reverse-shell capabilities further indicates an interest in maintaining persistence and interactive access, consistent with intelligence collection campaigns.
Suggested Corrections:
Conduct Regular User Awareness Training: The building, conducting and updating of a regular internal user awareness training program is one of the most cost-effective means of protecting your organization against cyber risks of all types. By continuously educating personnel and keeping them abreast of the latest developments in cyber threats, organizations of all sizes can build an excellent first line of defense to counter cyber-attacks. Regular training empowers team members with the confidence and knowledge to protect both themselves and the organization they represent.
Phishing Protection: Protection of the outermost layers of a business is essential when it comes to shielding your organization from phishing and social engineering attacks, as they rely on humans being the weakest links of the security chain within an organization. Therefore, a modern email security solution (ESS) or web filtering solution combined with user awareness training can go a long way in mitigating against this attack vector.
Endpoint Protection Solutions: Deploying an advanced AI-powered endpoint protection platform such can help protect against the threats described in this research.
Restrict JavaScript in the Browser: Through and strict group polices, IT admins can preconfigure browser settings on managed devices to disable JavaScript on sensitive machines and networks. This goes a long way in protecting against execution chains which rely on JavaScript as part of their attack, such as the one used in the campaign described in this blog post.
Link(s):
https://blogs.blackberry.com/en/202...ets-pakistan-navy-in-cyber-espionage-campaign
BlackBerry researchers uncovered a sophisticated, highly targeted espionage campaign against the Pakistan Navy, active from mid-2023 through at least September 2024. The intrusion began with a convincingly forged PDF designed to mimic an internal IT memo about integrating Axigen Thunderbird email services. This lure redirected victims to a typosquatted “paknavy” domain, which delivered a malicious Thunderbird extension. Once installed, the extension harvested credentials from legitimate “@paknavy.gov.pk” email users and communicated with attacker-controlled infrastructure. After credential theft, Windows systems received a stealthy infostealer known as Sync-Scheduler, capable of evasion, persistence through deceptive scheduled tasks, and exfiltration of sensitive documents using obfuscated techniques and encrypted logging. Additional artifacts, including reverse-shell malware (“Black-Shell”), older Pakistan-targeted lure documents, and earlier malicious Thunderbird extensions, show the campaign has been iterative, well-resourced, and tightly focused on military entities. Infrastructure overlaps, execution chains, and TTP similarities suggest possible links to SideWinder or APT Bitter, but evidence remains insufficient for definitive attribution. Overall, the operation demonstrates a patient, targeted effort to harvest sensitive Pakistan Navy communications and documents for espionage purposes.
Security Officer Comments:
This campaign reflects hallmarks of a mature, regionally focused espionage actor with deep familiarity with Pakistan Navy systems, particularly Thunderbird, Axigen mail servers, and internal workflows. The custom user manuals, tailored email-signing extensions, and precise branding demonstrate extensive reconnaissance and the intent to build trust with a small, high-value audience. Sync-Scheduler’s development timeline, overlapping codebases, and multiple related malware components show ongoing investment into a modular toolset designed for long-term stealth rather than smash-and-grab operations. The dual use of both infostealing and reverse-shell capabilities further indicates an interest in maintaining persistence and interactive access, consistent with intelligence collection campaigns.
Suggested Corrections:
Conduct Regular User Awareness Training: The building, conducting and updating of a regular internal user awareness training program is one of the most cost-effective means of protecting your organization against cyber risks of all types. By continuously educating personnel and keeping them abreast of the latest developments in cyber threats, organizations of all sizes can build an excellent first line of defense to counter cyber-attacks. Regular training empowers team members with the confidence and knowledge to protect both themselves and the organization they represent.
Phishing Protection: Protection of the outermost layers of a business is essential when it comes to shielding your organization from phishing and social engineering attacks, as they rely on humans being the weakest links of the security chain within an organization. Therefore, a modern email security solution (ESS) or web filtering solution combined with user awareness training can go a long way in mitigating against this attack vector.
Endpoint Protection Solutions: Deploying an advanced AI-powered endpoint protection platform such can help protect against the threats described in this research.
Restrict JavaScript in the Browser: Through and strict group polices, IT admins can preconfigure browser settings on managed devices to disable JavaScript on sensitive machines and networks. This goes a long way in protecting against execution chains which rely on JavaScript as part of their attack, such as the one used in the campaign described in this blog post.
Link(s):
https://blogs.blackberry.com/en/202...ets-pakistan-navy-in-cyber-espionage-campaign