{
	"id": "9947dec5-d553-4671-bcda-660b778a3d6d",
	"created_at": "2026-04-06T00:06:16.370083Z",
	"updated_at": "2026-04-10T03:34:17.917058Z",
	"deleted_at": null,
	"sha1_hash": "1f847ebcaea68a23957fb30a644a893fc40330c7",
	"title": "Extensive hacking operation discovered in Kazakhstan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1477226,
	"plain_text": "Extensive hacking operation discovered in Kazakhstan\r\nBy Written by Catalin Cimpanu, ContributorContributor Nov. 23, 2019 at 12:00 a.m. PT\r\nArchived: 2026-04-05 13:41:01 UTC\r\nChinese cyber-security vendor Qihoo 360 published a report on Friday exposing an extensive hacking operation\r\ntargeting the country of Kazakhstan.\r\nTargets included individuals and organizations involving all walks of life, such as government agencies, military\r\npersonnel, researchers, journalists, private companies, the educational sector, religious figures, government\r\ndissidents, and foreign diplomats alike.\r\nThe campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable\r\nresources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the\r\nsurveillance market, and even invest in radio communications interception hardware.\r\nSigns point that some attacks relied on sending targets carefully crafted emails carrying malicious attachments\r\n(spear-phishing), while others relied on getting physical access to devices, suggesting the use of on-the-ground\r\noperatives deployed in Kazakhstan.\r\nMeet Golden Falcon\r\nQihoo researchers named the group behind this extensive campaign Golden Falcon (or APT-C-34). The Chinese\r\nsecurity vendor claimed the group was new, but when ZDNet reached out to Kaspersky, we were told Golden\r\nFalcon appears to be another name for DustSquad, a cyber-espionage entity that has been active since 2017.\r\nThe only report detailing its previous hacking operations dates back to 2018 when it was seen using spear-phishing emails that lead users to a malware-laced version of Telegram.\r\nJust like the attacks documented by Qihoo this week, the 2018 attacks also focused on Kazakhstan but had used a\r\ndifferent malware strain.\r\nQihoo's new report is primarily based on data the Chinese company obtained after it gained access to one of\r\nGolden Falcon's command and control (C\u0026C) server, from where they retrieved operational data about the group's\r\nactivities.\r\nHere, the Chinese firm said it found data retrieved from infected victims. Collected data involved primarily office\r\ndocuments, taken from hacked computers.\r\nAll the stolen information was arranged in per-city folders, with each city folder containing data on each infected\r\nhost. Researchers said they found data from victims located in Kazakhstan 13 largest cities, and more.\r\nhttps://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nPage 1 of 5\n\nImage: Qihoo 360\r\nThe data was encrypted, but researchers said they were able to decrypt it. Inside, they also found evidence that\r\nGolden Falcon was also spying on foreign nationals in the country -- with Qihoo naming Chinese international\r\nstudents and Chinese diplomats as targets.\r\nExpensive hacking tools\r\nFiles on the C\u0026C server revealed what types of hacking tools this group was using. Two tools stood out. The first\r\nwas a version of RCS (Remote Control System), a surveillance kit sold by Italian vendor HackingTeam. The\r\nsecond was a backdoor trojan named Harpoon (Garpun in the Russian language) that appears to have been\r\ndeveloped by the group itself.\r\nIn regards to its use of RCS, what stood out was that Golden Falcon was using a new version of RCS. The RCS\r\nversion number is important because, in 2015, a hacker breached and then leaked all the HackingTeam's internal\r\nfiles, including the source code for RCS.\r\nAt the time, the RCS version number was 9.6. According to Qihoo, the version number for the RCS instances they\r\nfound in Golden Falcon's possession was 10.3, a newer version, meaning the group most likely bought a newer\r\nversion from its distributor.\r\nBut Golden Falcon was also in the possession of another potent tool. Qihoo says the group was using a unique\r\nbackdoor that hasn't been seen outside the group's operations and was most likely their own creation.\r\nThe Chinese vendor said it obtained a copy of this tool's manual. It is unclear if they found the manual on the\r\ngroup's C\u0026C server, or if they obtained it from another source. The manual, however, shows a well-developed\r\nhttps://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nPage 2 of 5\n\ntool with a large feature-set, on par with many of today's top existing backdoor trojans.\r\ngf-harpoon.png\r\nImage: Qihoo 360\r\nFeatures include:\r\nKeylogging\r\nSteal clipboard data\r\nTake screenshot of the active window at predetermined intervals\r\nList the contents of a given directory\r\nGet Skype login name, contact list, and chat message history\r\nGet Skype and Google Hangouts contacts and voice recordings\r\nRecord sound via the microphone, eavesdropping\r\nCopy a specified file from the target computer\r\nAutomatically copy files from removable media\r\nStore all intercepted data in an encrypted data file, inside a specified directory\r\nSend stolen data to a specified FTP server\r\nRun a program or operating system command\r\nDownload files from a given FTP into a specific directory\r\nRemotely reconfigure and update components\r\nReceive data files from a given FTP and automatically extract the files to a specified directory\r\nSelf-destruct\r\nMost of the features listed above are the norm for most high-level backdoor trojans, usually encountered in nation-state level cyber-espionage.\r\nMobile malware\r\nBut Qihoo researchers also found additional files, such as contracts, supposedly signed by the group.\r\nIt is important to point out that cyber-espionage groups don't leave contracts sitting around on C\u0026C servers. It is\r\nunclear if these contracts were found on Golden Falcon's C\u0026C server, or were retrieved from other sources. Qihoo\r\ndidn't say.\r\nOne of these contracts appears to be for the procurement of a mobile surveillance toolkit known as Pegasus. This\r\nis a powerful mobile hacking tool, with Android and iOS versions, sold by NSO Group.\r\nThe contract suggests that Golden Eagle had, at least, shown interest in acquiring NSO's Android and iOS\r\nsurveillance tools. It is unclear if the contract was ever completed with a sale, as Qihoo didn't find any evidence of\r\nNSO's Pegasus beyond the contract.\r\ngf-nso.png\r\nImage: Qihoo 360\r\nhttps://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nPage 3 of 5\n\nEither way, Golden Eagle did have mobile hacking capabilities. This capability was provided via Android\r\nmalware supplied by the HackingTeam.\r\nQihoo said the malware they analyzed included 17 modules with features ranging from audio eavesdropping to\r\nbrowser history tracking, and from stealing IM chat logs to tracking a victim's geo-location.\r\nRadio interception hardware\r\nA second set of contracts showed that Golden Falcon had also acquired equipment from Yurion, a Moscow-based\r\ndefense contractor that's specialized in radio monitoring, eavesdropping, and other communications equipment.\r\nAgain, Qihoo only shared details about the contract's existence, but could not say if the equipment was bought or\r\nused -- as such capabilities go beyond the tools at the disposal of a regular security software company.\r\ngf-yurion.png\r\nImage: Qihoo 360\r\nTracking down members?\r\nThe Chinese cyber-security firm also said it tracked down several Golden Falcon members through details left in\r\nlegal digital signatures, supposedly found inside the contracts they discovered.\r\nResearchers said they tracked four Golden Falcon members and one organization.\r\nUsing data that was left uncensored in a screenshot shared by Qihoo, we were able to track one of the group's\r\nmembers to a LinkedIn profile belonging to a Moscow area-based programmer that the Chinese firm described as\r\n\"a technical engineer\" for Golden Falcon.\r\nNo official attribution -- but plenty of theories\r\nNeither Qihoo nor Kaspersky, in its 2018 report, make any formal attribution for this group. The only detail the\r\ntwo shared was that this was a Russian-speaking APT (advanced persistent threat -- a technical term used to\r\ndescribe advanced, nation-state backed hacking units).\r\nDuring research for this article, ZDNet asked a few analysts for their opinions. The most common theories we\r\nheard were that this \"looks\" to be (1) a Russian APT, (2) a Kazakh intelligence agency spying on its citizens, (3) a\r\nRussian mercenary group doing on-demand spying for the Kazakh government -- with the last two being the most\r\ncommon answer.\r\nHowever, it should be noted that these arguments are subjective and not based on any actual substantial proof.\r\nThe use of HackingTeam surveillance software, and the inquiry into buying NSO Group mobile hacking\r\ncapabilities does show that this could be, indeed, an authorized law enforcement agency. However, Qihoo also\r\npointed out that some of the targets/victims of this hacking campaign were also Chinese government officials in\r\nnorth-west China -- meaning that if this was a Kazakh law enforcement agency, then they seriously overstepped\r\ntheir jurisdiction.\r\nhttps://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nPage 4 of 5\n\nThe Qihoo Golden Falcon report is available here, in Chinese, and here, translated with Google Translate. The\r\nreport contains additional technical information about the malware used in these attacks, information that we\r\ndidn't include in our coverage because it was too technical.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nhttps://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/"
	],
	"report_names": [
		"extensive-hacking-operation-discovered-in-kazakhstan"
	],
	"threat_actors": [
		{
			"id": "978775b9-369d-44f7-8a42-76d7b9cb42d5",
			"created_at": "2022-10-25T15:50:23.846105Z",
			"updated_at": "2026-04-10T02:00:05.36378Z",
			"deleted_at": null,
			"main_name": "Nomadic Octopus",
			"aliases": [
				"Nomadic Octopus",
				"DustSquad"
			],
			"source_name": "MITRE:Nomadic Octopus",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70661552-6715-4750-bf4e-527055d3e7b4",
			"created_at": "2023-11-08T02:00:07.114392Z",
			"updated_at": "2026-04-10T02:00:03.417207Z",
			"deleted_at": null,
			"main_name": "DustSquad",
			"aliases": [
				"Nomadic Octopus"
			],
			"source_name": "MISPGALAXY:DustSquad",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8b1844c0-671a-41e0-abb1-8abc556738b5",
			"created_at": "2023-01-06T13:46:39.074954Z",
			"updated_at": "2026-04-10T02:00:03.2046Z",
			"deleted_at": null,
			"main_name": "APT-C-34",
			"aliases": [
				"Golden Falcon"
			],
			"source_name": "MISPGALAXY:APT-C-34",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6fe4b4f-9694-4ffc-94ef-a0cc5aef94d9",
			"created_at": "2022-10-25T16:07:23.556112Z",
			"updated_at": "2026-04-10T02:00:04.655561Z",
			"deleted_at": null,
			"main_name": "DustSquad",
			"aliases": [
				"APT-C-34",
				"DustSquad",
				"G0133",
				"Golden Falcon",
				"Nomadic Octopus"
			],
			"source_name": "ETDA:DustSquad",
			"tools": [
				"Garpun",
				"Paperbug",
				"Remote Control System"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775792057,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f847ebcaea68a23957fb30a644a893fc40330c7.pdf",
		"text": "https://archive.orkl.eu/1f847ebcaea68a23957fb30a644a893fc40330c7.txt",
		"img": "https://archive.orkl.eu/1f847ebcaea68a23957fb30a644a893fc40330c7.jpg"
	}
}