Silent Rotor: Targeted Rust Malware Infiltrates the 2026 Eurasian Unmanned Aviation Forum

In a precision-strike operation currently unfolding across Central Asia and Europe, threat actors have launched a highly targeted campaign aimed at the heart of the unmanned aviation industry. Dubbed “Operation Silent Rotor” by SEQRITE Labs, the campaign is specifically designed to exploit the upcoming XIII Eurasian International Forum “Unmanned Aviation 2026” in Moscow.

As organizations prepare for this major international event, adversaries are weaponizing trust through sophisticated social engineering and modern programming languages to infiltrate sensitive networks.

The attack begins with a spear-phishing email delivering a malicious archive named cai partner.zip. To ensure the victim suspects nothing, the archive contains four files that mirror legitimate business communications.

The archive includes a PDF named Certificate of translation.PDF, appearing as an official certification document from a translation bureau in Tajikistan. A DOCX file titled Confirmation of CAICA products order… and an XLSX file named summary_order_cai_final.xlsx contain highly specific industry terminology, including references to Boeing 737 systems and NOTAM datasets.

According to SEQRITE Labs, “the lure is designed to target professionals involved in international business or translation-related activities”.

At the center of the infection is a 64-bit Windows executable compiled in the Rust programming language. Disguised as an order confirmation from the Russian Aeronautical Information Center (ЦАИ/САI), this binary kicks off a two-stage infection process.

Once the victim runs the executable, it immediately begins “collecting system information to build a unique victim profile”. The malware retrieves the hostname and the C: drive volume serial number. It enumerates network adapters to harvest IPv4 addresses, DNS suffixes, and adapter names. While this reconnaissance is happening in the background, the malware displays the decoy documents to “distract the victim and create the illusion of a benign application”.

The harvested data is converted into JSON format and exfiltrated to a command-and-control (C2) server via encrypted HTTPS. The server then responds with an encrypted second-stage payload.

The malware uses AES-256 decryption, deriving the key from data specifically sent by the C2 server. The final payload is written to disk with a random 6-character filename (e.g., in %USERPROFILE%\Documents\) and executed via the CreateProcessA API.

The operation relies on a relatively new and stealthy infrastructure. The C2 domain, kleymarket.ru, was registered just nine days before the campaign was identified.

The domain resolves to IP address 45.142.36.76, hosted in Moscow, Russia. While the specific threat actor remains unknown, researchers noted that “the observed tactics, infrastructure, and social engineering elements suggest a well-planned and targeted operation”.

Operation Silent Rotor represents a significant risk to the Eurasian Unmanned Aviation Systems (UAS/UAV) sector. By aligning the campaign with the April 2026 Moscow forum, the attackers have created a highly plausible environment for their lures.