{ "id": "5d80112f-f08a-45a5-9c94-9ae8d4c61a46", "created_at": "2026-04-06T00:15:33.854285Z", "updated_at": "2026-04-10T03:33:12.619633Z", "deleted_at": null, "sha1_hash": "17c5398b5eb9024bc39e23c8ccc0038d6e4353f3", "title": "IndigoZebra APT Hacking Campaign Targets the Afghan Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 215194, "plain_text": "IndigoZebra APT Hacking Campaign Targets the Afghan\r\nGovernment\r\nBy The Hacker News\r\nPublished: 2021-07-01 · Archived: 2026-04-05 15:27:24 UTC\r\nCybersecurity researchers are warning of ongoing attacks coordinated by a suspected Chinese-speaking threat\r\nactor targeting the Afghanistan government as part of an espionage campaign that may have had its provenance as\r\nfar back as 2014.\r\nIsraeli cybersecurity firm Check Point Research attributed the intrusions to a hacking group tracked under the\r\nmoniker \"IndigoZebra,\" with past activity aimed at other central-Asian countries, including Kyrgyzstan and\r\nUzbekistan.\r\n\"The threat actors behind the espionage leveraged Dropbox, the popular cloud-storage service, to infiltrate the\r\nAfghan National Security Council (NSC),\" the researchers said in a technical write-up shared with The Hacker\r\nNews, adding they \"orchestrated a ministry-to-ministry style deception, where an email is sent to a high-profile\r\ntarget from the mailboxes of another high-profile victim.\"\r\nhttps://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html\r\nPage 1 of 3\n\nIndigoZebra first came to light in August 2017 when Kaspersky detailed a covert operation that singled out former\r\nSoviet Republics with a wide swath of malware such as Meterpreter, Poison Ivy RAT, xDown, and a previously\r\nundocumented piece of malware called xCaon.\r\nCheck Point's investigation into the attacks commenced in April when NSC officials began receiving lure emails\r\nallegedly claiming to be from the Administrative Office of the President of Afghanistan.\r\nWhile the message urged the recipients to review modifications in an attached document related to a pending NSC\r\npress conference, opening the decoy file — a password-protected RAR archive (\"NSC Press conference.rar\") —\r\nwas found to trigger an infection chain that culminated in the installation of a backdoor (\"spools.exe\") on the\r\ntargeted system.\r\nAdditionally, the attacks funneled malicious commands into the victim machine that were camouflaged using the\r\nDropbox API, with the implant creating a unique folder for every compromised host in an attacker-controlled\r\nDropbox account.\r\nThe backdoor, dubbed \"BoxCaon,\" is capable of stealing confidential data stored on the device, running arbitrary\r\ncommands, and exfiltrating the results back to the Dropbox folder. The commands (\"c.txt\") themselves are placed\r\nin a separate sub-folder named \"d\" in the victim's Dropbox folder, which is retrieved by the malware prior to\r\nexecution.\r\nhttps://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html\r\nPage 2 of 3\n\nBoxCaon's connection to IndigoZebra stems from similarities shared by the malware with xCaon. Check Point\r\nsaid it identified about 30 different samples of xCaon — the earliest dating back to 2014 — all of which rely on\r\nHTTP protocol for command-and-control communications.\r\nTelemetry data analyzed by the researchers also found that the HTTP variants primarily set their sights on political\r\nentities located in Kyrgyzstan and Uzbekistan, suggesting a shift in targeting in recent years along with a\r\nrevamped toolset.\r\n\"What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception,\" said Lotem\r\nFinkelsteen, head of threat intelligence at Check Point.\r\n\"This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity\r\nwas seen at the highest levels of sovereignty. Furthermore, it's noteworthy how the threat actors utilize Dropbox to\r\nmask themselves from detection.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html\r\nhttps://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html" ], "report_names": [ "indigozebra-apt-hacking-campaign.html" ], "threat_actors": [ { "id": "62f2206e-d8c6-49bb-86fc-63118ac2bf40", "created_at": "2022-10-25T16:07:23.725942Z", "updated_at": "2026-04-10T02:00:04.728159Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "G0136" ], "source_name": "ETDA:IndigoZebra", "tools": [ "Dropbox" ], "source_id": "ETDA", "reports": null }, { "id": "abb4a645-181b-4237-825f-447ac9b0c16d", "created_at": "2022-10-25T15:50:23.764656Z", "updated_at": "2026-04-10T02:00:05.40558Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "IndigoZebra" ], "source_name": "MITRE:IndigoZebra", "tools": [ "xCaon", "BoxCaon", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "f33ce87f-9514-447c-aba2-ff3e4e9e5b71", "created_at": "2023-11-07T02:00:07.097748Z", "updated_at": "2026-04-10T02:00:03.406698Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [], "source_name": "MISPGALAXY:IndigoZebra", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17c5398b5eb9024bc39e23c8ccc0038d6e4353f3.pdf", "text": "https://archive.orkl.eu/17c5398b5eb9024bc39e23c8ccc0038d6e4353f3.txt", "img": "https://archive.orkl.eu/17c5398b5eb9024bc39e23c8ccc0038d6e4353f3.jpg" } }