Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
Operation Nomad Leopard is a targeted spear-phishing campaign aimed at Afghan government employees, leveraging a malicious ISO file containing a PDF decoy, a LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file, which simultaneously displays the decoy PDF and runs the malware to establish persistence and connect to a command and control server. FALSECUB malware conducts system reconnaissance, file enumeration, and data exfiltration. The threat actor uses legitimate platforms like GitHub for malware distribution and demonstrates moderate sophistication with regional focus and connections to Pakistan. Although primarily targeting Afghanistan, the campaign’s use of common Windows features and social engineering techniques poses a potential risk to organizations with similar profiles. No CVSS score is assigned, but the threat is assessed as medium severity due to its targeted nature and impact on confidentiality and integrity without widespread exploitation. Defenders should prioritize user awareness, strict attachment handling, and network monitoring for indicators such as the provided hashes and C2 domains/IPs.
AI Analysis
Technical Summary
Operation Nomad Leopard is a spear-phishing campaign targeting Afghan government personnel by distributing a malicious ISO file crafted to mimic official government documents. The ISO contains a PDF decoy to lure victims and a Windows LNK shortcut file that, when executed, opens the PDF to maintain the illusion of legitimacy while simultaneously launching the FALSECUB malware. FALSECUB establishes persistence on the infected system and connects to a command and control (C2) server hosted on dynamic DNS infrastructure (theepad0loc93x.ddns.net) and IP 207.244.230.94. The malware performs extensive system reconnaissance, enumerates files, and exfiltrates sensitive data back to the attacker. The infection chain leverages social engineering (T1566.001) and uses legitimate platforms such as GitHub for malware hosting, complicating detection efforts. The threat actor exhibits low-to-moderate sophistication, focusing regionally with ties to Pakistan. The campaign uses multiple MITRE ATT&CK techniques including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1497.001 (Virtualization/Sandbox Evasion), T1082 (System Information Discovery), T1020 (Automated Collection), T1083 (File and Directory Discovery), T1553.005 (Subvert Trust Controls: Code Signing), T1041 (Exfiltration Over C2 Channel), T1547.001 (Boot or Logon Autostart Execution), T1573 (Encrypted Channel), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1485 (Data Destruction), T1070.004 (Indicator Removal on Host), T1071.001 (Application Layer Protocol), and T1086 (PowerShell). The campaign is not known to exploit software vulnerabilities but relies on user interaction and social engineering to succeed.
Potential Impact
For European organizations, the direct impact of Operation Nomad Leopard is currently limited due to its regional targeting of Afghan government entities. However, the campaign’s use of common Windows features (ISO files, LNK shortcuts) and social engineering tactics means that similar spear-phishing attempts could be adapted against European government or diplomatic entities, especially those with interests or operations related to Afghanistan or South Asia. Successful infection could lead to significant confidentiality breaches through data exfiltration, loss of sensitive government information, and potential compromise of internal networks. The use of legitimate platforms like GitHub for malware hosting complicates detection and response. Additionally, the malware’s persistence and reconnaissance capabilities could facilitate long-term espionage or sabotage. European organizations involved in international diplomacy, defense, or foreign aid might be at increased risk if threat actors expand targeting or reuse tactics.
Mitigation Recommendations
1. Implement strict email filtering and attachment handling policies to block or quarantine ISO files and suspicious LNK files, especially those purporting to be official documents. 2. Conduct targeted user awareness training focusing on spear-phishing risks, emphasizing the dangers of opening unexpected ISO attachments and executing LNK files. 3. Employ endpoint detection and response (EDR) solutions capable of detecting suspicious LNK execution and persistence mechanisms associated with FALSECUB malware. 4. Monitor network traffic for connections to known malicious domains and IPs such as theepad0loc93x.ddns.net and 207.244.230.94, and block or investigate such communications. 5. Use application whitelisting to restrict execution of unauthorized scripts and binaries, including PowerShell scripts used by the malware. 6. Regularly audit and harden systems to detect and remove persistence mechanisms. 7. Leverage threat intelligence feeds to update detection signatures with the provided file hashes and indicators of compromise. 8. Limit use of dynamic DNS services and monitor for suspicious domain registrations related to organizational assets. 9. Enforce multi-factor authentication and least privilege principles to reduce impact if credentials are compromised. 10. Establish incident response plans tailored to targeted spear-phishing and data exfiltration scenarios.
Affected Countries
Afghanistan, Pakistan
Indicators of Compromise
- hash: 5838c834482fb54f8a642d92e4ece7bbde03e161c2d02c4e70edbe05c8190955
- hash: 63f6c85fc16b346cc3f18da9380aee6ffbb3e735863e2e8f118f38737e0d1348
- hash: 6c8936fea2fe9cbbcc6135941ac5fb6ea7819530a0914d8c0f39a015c0f2055d
- hash: f817f65edbc77f7bbdd6e4f469e82c0e770b7e221bdb348f366a475a8a39242b
- ip: 207.244.230.94
- domain: theepad0loc93x.ddns.net
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
Description
Operation Nomad Leopard is a targeted spear-phishing campaign aimed at Afghan government employees, leveraging a malicious ISO file containing a PDF decoy, a LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file, which simultaneously displays the decoy PDF and runs the malware to establish persistence and connect to a command and control server. FALSECUB malware conducts system reconnaissance, file enumeration, and data exfiltration. The threat actor uses legitimate platforms like GitHub for malware distribution and demonstrates moderate sophistication with regional focus and connections to Pakistan. Although primarily targeting Afghanistan, the campaign’s use of common Windows features and social engineering techniques poses a potential risk to organizations with similar profiles. No CVSS score is assigned, but the threat is assessed as medium severity due to its targeted nature and impact on confidentiality and integrity without widespread exploitation. Defenders should prioritize user awareness, strict attachment handling, and network monitoring for indicators such as the provided hashes and C2 domains/IPs.
AI-Powered Analysis
Technical Analysis
Operation Nomad Leopard is a spear-phishing campaign targeting Afghan government personnel by distributing a malicious ISO file crafted to mimic official government documents. The ISO contains a PDF decoy to lure victims and a Windows LNK shortcut file that, when executed, opens the PDF to maintain the illusion of legitimacy while simultaneously launching the FALSECUB malware. FALSECUB establishes persistence on the infected system and connects to a command and control (C2) server hosted on dynamic DNS infrastructure (theepad0loc93x.ddns.net) and IP 207.244.230.94. The malware performs extensive system reconnaissance, enumerates files, and exfiltrates sensitive data back to the attacker. The infection chain leverages social engineering (T1566.001) and uses legitimate platforms such as GitHub for malware hosting, complicating detection efforts. The threat actor exhibits low-to-moderate sophistication, focusing regionally with ties to Pakistan. The campaign uses multiple MITRE ATT&CK techniques including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1497.001 (Virtualization/Sandbox Evasion), T1082 (System Information Discovery), T1020 (Automated Collection), T1083 (File and Directory Discovery), T1553.005 (Subvert Trust Controls: Code Signing), T1041 (Exfiltration Over C2 Channel), T1547.001 (Boot or Logon Autostart Execution), T1573 (Encrypted Channel), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1485 (Data Destruction), T1070.004 (Indicator Removal on Host), T1071.001 (Application Layer Protocol), and T1086 (PowerShell). The campaign is not known to exploit software vulnerabilities but relies on user interaction and social engineering to succeed.
Potential Impact
For European organizations, the direct impact of Operation Nomad Leopard is currently limited due to its regional targeting of Afghan government entities. However, the campaign’s use of common Windows features (ISO files, LNK shortcuts) and social engineering tactics means that similar spear-phishing attempts could be adapted against European government or diplomatic entities, especially those with interests or operations related to Afghanistan or South Asia. Successful infection could lead to significant confidentiality breaches through data exfiltration, loss of sensitive government information, and potential compromise of internal networks. The use of legitimate platforms like GitHub for malware hosting complicates detection and response. Additionally, the malware’s persistence and reconnaissance capabilities could facilitate long-term espionage or sabotage. European organizations involved in international diplomacy, defense, or foreign aid might be at increased risk if threat actors expand targeting or reuse tactics.
Mitigation Recommendations
1. Implement strict email filtering and attachment handling policies to block or quarantine ISO files and suspicious LNK files, especially those purporting to be official documents. 2. Conduct targeted user awareness training focusing on spear-phishing risks, emphasizing the dangers of opening unexpected ISO attachments and executing LNK files. 3. Employ endpoint detection and response (EDR) solutions capable of detecting suspicious LNK execution and persistence mechanisms associated with FALSECUB malware. 4. Monitor network traffic for connections to known malicious domains and IPs such as theepad0loc93x.ddns.net and 207.244.230.94, and block or investigate such communications. 5. Use application whitelisting to restrict execution of unauthorized scripts and binaries, including PowerShell scripts used by the malware. 6. Regularly audit and harden systems to detect and remove persistence mechanisms. 7. Leverage threat intelligence feeds to update detection signatures with the provided file hashes and indicators of compromise. 8. Limit use of dynamic DNS services and monitor for suspicious domain registrations related to organizational assets. 9. Enforce multi-factor authentication and least privilege principles to reduce impact if credentials are compromised. 10. Establish incident response plans tailored to targeted spear-phishing and data exfiltration scenarios.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/"]
- Adversary
- Nomad Leopard
- Pulse Id
- 696f420d629a255b3d84814e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash5838c834482fb54f8a642d92e4ece7bbde03e161c2d02c4e70edbe05c8190955 | — | |
hash63f6c85fc16b346cc3f18da9380aee6ffbb3e735863e2e8f118f38737e0d1348 | — | |
hash6c8936fea2fe9cbbcc6135941ac5fb6ea7819530a0914d8c0f39a015c0f2055d | — | |
hashf817f65edbc77f7bbdd6e4f469e82c0e770b7e221bdb348f366a475a8a39242b | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip207.244.230.94 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaintheepad0loc93x.ddns.net | — |
Threat ID: 696f45734623b1157c251817
Added to database: 1/20/2026, 9:05:55 AM
Last enriched: 1/20/2026, 9:20:15 AM
Last updated: 1/20/2026, 6:25:56 PM
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Inside a Multi-Stage Windows Malware Campaign
MediumFrom Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
MediumOperation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
MediumThreatFox IOCs for 2026-01-19
MediumCrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.