Attack on *stan: Your malware, my C2

KazakRAT is a lightweight Windows DLL RAT observed since at least August 2022 in a persistent espionage campaign targeting Kazakh and Afghan-themed victims; delivered via malicious MSI installers with regional decoys, it persists via Run registry keys and beacons unencrypted HTTP POSTs to /as/include.php to receive simple bracketed commands (info, exec, disks, upload/download), with multiple variants and overlapping C2 domains/IPs documented. The report provides active sinkhole telemetry, comprehensive IoCs (domains, IPs, file hashes), a YARA rule, and an attribution assessment pointing to a likely state-affiliated operator using low-sophistication tooling and Android spyware in parallel.