Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan

SEQRITE Labs documents a targeted campaign (Nomad Leopard) against Afghan government organizations that distributes a malicious ISO (named to appear official) containing a PDF decoy, a Doc.pdf.lnk shortcut that establishes persistence via a hardlink in Startup and launches a C++ backdoor (FALSECUB). FALSECUB implements sandbox-evasion checks, enumerates system and user files (Desktop/Documents), and exfiltrates data via curl/HTTP to C2 infrastructure (including dynamic DNS and cloud-hosted IPs); the report provides hashes, domains/IPs, GitHub/TinyURL drop indicators, and attribution notes suggesting a low-to-moderate sophistication regional actor.