Hackers are targeting Afghan government employees with phishing emails disguised as official correspondence from the office of the country’s prime minister, according to researchers at cybersecurity firm Seqrite.
The campaign, first detected in December, uses a decoy document designed to look like a legitimate government letter sent to ministries and administrative offices. The file opens with a religious greeting and includes what appear to be official instructions on financial reporting, along with a forged signature of a senior official to entice recipients to open it.
Once opened, the document deploys malware known as FalseCub, which is capable of collecting and exfiltrating data from infected computers. Seqrite said the attackers used GitHub as temporary hosting for the malicious payload, creating an account in late December and removing the files after the operation concluded.
Researchers identified multiple legal and administrative documents uploaded by the threat actor to Scribd, which could be repurposed for future phishing attempts. The campaign, tracked as ‘Nomad Leopard,’ appears to be the work of a regionally focused actor with low-to-moderate sophistication and could expand beyond Afghanistan.