Threats Affecting Afghanistan

SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.

MediumMalwareAfghanistan#sidecopy#xenorat#transparent tribe

The Harvester APT group has developed a highly-evasive Linux version of its GoGra backdoor that leverages Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional network defenses. Initial VirusTotal submissions originated from India and Afghanistan, indicating these regions as primary targets. The attackers use social engineering with tailored decoy documents masquerading as legitimate files, including references to Indian food delivery services. The backdoor uses hardcoded Azure AD credentials to poll mailboxes every two seconds, executing commands received via email and exfiltrating results back to operators. Analysis confirms this Linux variant shares nearly identical code with a previously known Windows version, including matching spelling errors, demonstrating the group's multi-platform development strategy and continued expansion of capabilities targeting South Asia for espionage purposes.

MediumMalwareIndiaAfghanistan#graphon#south asia espionage#cross-platform

A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.

MediumMalwareKazakhstanAfghanistanGermany+3#windows#android#afghanistan

A threat group is targeting Afghan government employees using a fake lure mimicking an official government document. The campaign, named Operation Nomad Leopard, uses a malicious ISO file containing a PDF decoy, LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file to display the PDF and run the malware, which establishes persistence and connects to a command and control server. The malware performs system reconnaissance, file enumeration, and data exfiltration. The threat actor, believed to be regionally focused with low-to-moderate sophistication, uses GitHub for malware distribution and has connections to Pakistan. The campaign demonstrates careful attention to detail in creating convincing lures and leverages legitimate platforms for malicious purposes.

MediumMalwareAfghanistanPakistan#spear-phishing#iso#lnk