Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
Essential information
- Published
- 20/01/2026 08:51
- Modified
- 20/01/2026 09:09
- Tags
- 2026-01-20 afghanistan data exfiltration falsecub government iso lnk reconnaissance spear-phishing
- Related entities
- 5 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 3 others
Description
A threat group is targeting Afghan government employees using a fake lure mimicking an official government document. The campaign, named Operation Nomad Leopard, uses a malicious ISO file containing a PDF decoy, LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file to display the PDF and run the malware, which establishes persistence and connects to a command and control server. The malware performs system reconnaissance, file enumeration, and data exfiltration. The threat actor, believed to be regionally focused with low-to-moderate sophistication, uses GitHub for malware distribution and has connections to Pakistan. The campaign demonstrates careful attention to detail in creating convincing lures and leverages legitimate platforms for malicious purposes.