216.73.217.139

Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan

· Published 20/01/2026 08:51 · Modified 20/01/2026 09:09

Export JSON

Essential information

Published
20/01/2026 08:51
Modified
20/01/2026 09:09
Tags
2026-01-20 afghanistan data exfiltration falsecub government iso lnk reconnaissance spear-phishing
Related entities
5 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 3 others

Description

A threat group is targeting Afghan employees using a fake lure mimicking an official document. The campaign, named Operation Nomad Leopard, uses a malicious file containing a PDF decoy, file, and the malware. The infection chain involves executing the file to display the PDF and run the malware, which establishes persistence and connects to a command and control server. The malware performs system , file enumeration, and . The threat actor, believed to be regionally focused with low-to-moderate sophistication, uses GitHub for malware distribution and has connections to Pakistan. The campaign demonstrates careful attention to detail in creating convincing lures and leverages legitimate platforms for malicious purposes.

External references