Attack on *stan: Your malware, my C2
Essential information
- Published
- 30/01/2026 08:19
- Modified
- 30/01/2026 08:51
- Tags
- 2026-01-30 afghanistan android c2 infrastructure espionage kazakhstan kazakrat state-sponsored windows xploitspy
- Related entities
- 24 observables, 13 techniques (mitre), 2 malware, 12 others
Description
A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.