“Nomad Leopard” Spotted in the Wild: Cyber Espionage Campaign Targets Afghan Government
Ddos 
Image: the SEQRITE Labs APT Team
A new cyber espionage campaign targeting the heart of Afghanistan’s administration has been uncovered, revealing a mix of official disguises and surprisingly clumsy operational errors. In a new report released by the SEQRITE Labs APT Team, researchers detail the activities of a threat group tracked as Nomad Leopard, which has been actively hunting Afghan government employees using lures that mimic official ministry notices.
The campaign relies on a classic but effective social engineering tactic: the official-looking document. The attackers send phishing emails containing what appears to be legitimate government correspondence.
“The attackers are using a fake lure that mimics an official government document to target ministries and administrative offices,” the report explains.
These documents are designed to trick victims into lowering their guard. However, the attachment is not a simple PDF. The infection chain involves an ISO file containing a malicious LNK (shortcut) file. When the user interacts with this file, it triggers a sequence that executes a hidden payloadβa malicious executable that has been renamed to look like a harmless image file to evade detection.
The infrastructure supporting Nomad Leopard is built on the abuse of legitimate platforms. The report highlights that the group hosts its malicious files on GitHub, using repositories to distribute their payloads while blending in with normal network traffic.
However, it is in the digital footprints left behind that the group’s lack of sophistication becomes apparent. The researchers tracked the activity to a GitHub user named “afghanking777000”. This same usernameβand the alias “afghan Khan”βwas found across multiple social media platforms, including Pinterest and Dailymotion, sometimes linked to locations in Pakistan.
While the lures were carefully crafted, the operators behind Nomad Leopard made significant OPSEC (operational security) blunders. The reuse of the same online personas across different platforms allowed researchers to connect the dots and profile the attacker.
“The reuse of personas is an opsec mistake suggesting it to be an individual operator or small cluster rather than a mature state-sponsored APT.”
The analysis suggests that Nomad Leopard is likely a “regionally focused threat actor with a low-to-moderate sophistication level,” rather than a top-tier global power. Despite this, the group possesses “multiple legal and government-related lure documents,” indicating they may have access to internal materials or are preparing for future campaigns targeting the region.
With the right lure and a free GitHub account, even a small cluster of operators can pose a credible threat to national governments. As the SEQRITE team concludes, “we also believe that this campaign may be targeting other countries as well”.
Related Posts:
- iOS 27 & macOS 27: Apple Shifts to Stability and Performance Over New Features
- High-Severity Flaw in HashiCorp Nomad (CVE-2025-4922) Allows Privilege Escalation
- High-Severity Flaw in HashiCorp Nomad (CVE-2025-4922) Allows Privilege Escalation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
