Security researcher c0baltstrik3d uncovered a persistent state‑affiliated espionage campaign targeting government and financial organizations in Kazakhstan and Afghanistan, revealing a previously unreported Windows Remote Access Trojan dubbed KazakRAT that has operated since at least August 2022. KazakRAT is a simple DLL-based implant delivered via malicious MSI files and decoy documents, using unencrypted HTTP C2 communications, and researchers sinkholed a primary C2 domain to confirm targeting in the Karaganda region. #KazakRAT #APT36
Keypoints
- Researcher c0baltstrik3d discovered the campaign while hunting C2 infrastructure on Censys.
- KazakRAT is a Windows DLL RAT delivered via malicious MSI files and decoy documents.
- The malware is minimally obfuscated, uses unencrypted HTTP beaconing, and can download payloads and exfiltrate files.
- Attackers used tailored social engineering decoys targeting Kazakh and Afghan officials, including flReport.doc and a fake Khost memo PDF.
- A lapsed C2 domain (dns.freiesasien.com) was sinkholed, revealing victims in government and financial roles mainly in Karaganda and showing tooling overlap with APT36.
Read More: https://securityonline.info/hijacking-the-hackers-researchers-sinkhole-kazakrat-espionage-campaign/