Ddos 
Image: c0baltstrik3d
A persistent, suspected state-affiliated cyber espionage campaign targeting government and financial entities in Kazakhstan and Afghanistan has been brought to light. Security researcher c0baltstrik3d, while hunting for infrastructure on Censys, uncovered a previously unreported Remote Access Trojan (RAT) that has been quietly operating since at least August 2022.
Dubbed “KazakRAT” by the researchers, the malware is a Windows-based implant delivered via malicious MSI files. While the tooling is described as having “limited emphasis on evasion,” its simplicity has allowed it to fly under the radar for over three years.
The discovery began with a routine hunt for Command and Control (C2) servers. “While hunting for C2 infrastructure on Censys, we uncovered a suspected state-affiliated cluster targeting Kazakh and Afghan entities in a persistent campaign,” the analysis reveals.
The malware itself is a DLL-based implant designed for straightforward espionage. According to the report, “KazakRAT allows the threat actor to download and run additional payloads, enumerate and collect host data, and search for and exfiltrate files”.
Unlike sophisticated nation-state malware that uses complex obfuscation, KazakRAT is surprisingly bare-bones. “The KazakRAT binaries themselves were not obfuscated making it simple to analyse,” the report notes, adding that C2 communications are “unencrypted and follow a simple beaconing mechanism over HTTP”.
The campaign relies heavily on social engineering tailored to its specific targets. One variant of the malware was delivered alongside a decoy document titled flReport.doc, which posed as a “fake letter from the President of the Republic of Kazakhstan” congratulating citizens on Constitution Day.
Another variant targeted Afghan entities with a PDF containing a “scanned official letter/memo from Afghanistan’s (Islamic Emirate) Provincial authorities in Khost,” discussing a public works project for constructing mosques.
Perhaps the most striking aspect of this investigation was the researchers’ ability to hijack the attackers’ infrastructure. The threat actor failed to renew one of their primary C2 domains, dns.freiesasien.com.
“Due to an operational mistake by the adversary, we now own one of their KazakRAT C2 domains, allowing us to redirect victim traffic to a sinkhole to passively collect victim IP addresses beaconing home,” the analyst explained.
This takeover provided a clear view of the victimology. The sinkhole telemetry confirmed that “likely targeting includes government and financial sector roles, particularly in the Karaganda region” of Kazakhstan.
While the identity of the threat actor remains unconfirmed, the analysis points to a group with “low operational maturity” but high persistence. The researchers noted overlaps in tooling—specifically the use of XploitSpy for Android espionage—with APT36 (Transparent Tribe), a Pakistan-based group.
“While we identified no definitive links between the threat group observed in this research and APT36/Transparent Tribe, we highlight the overlap in tooling choices, limited sophistication, and aspects of victimology,” the report concludes.
Related Posts:
- Detour Dog: Stealthy DNS Malware Uses TXT Records for Command and Control
- Fake Sites, Custom Malware: TransparentTribe’s Deception Exposed
- Noisy Bear: A New APT Group Is Spying on Kazakhstan’s Energy Sector
- APT28’s New Espionage Campaign Uses Double-Tap Infection Chain
- Hackers use three malware simultaneously in cyber espionage against Ukraine
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
