{
	"id": "fd4ce462-fbb6-4c05-b84f-8aca7223b7af",
	"created_at": "2026-04-24T02:19:01.058637Z",
	"updated_at": "2026-04-25T02:19:34.348815Z",
	"deleted_at": null,
	"sha1_hash": "83d2c2a0564376ee6da0dd7b1a1f34f8f92bcd09",
	"title": "Cyber Espionage on Afghanistan, Kyrgyzstan and Uzbekistan by Chinese-speaking Hacker Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46536,
	"plain_text": "Cyber Espionage on Afghanistan, Kyrgyzstan and Uzbekistan by\r\nChinese-speaking Hacker Group\r\nBy gmcdouga\r\nPublished: 2021-07-01 · Archived: 2026-04-24 02:16:02 UTC\r\nCheck Point Research (CPR) detects an ongoing cyber espionage operation targeting the Afghan\r\ngovernment. Attributed to a Chinese-speaking hacker group, the threat actors impersonated the Office of\r\nthe President of Afghanistan to infiltrate the Afghan National Security Council (NSC) and used Dropbox to\r\nmask their activities. CPR believes that this is the latest in a longer-running operation that dates as far back\r\nas 2014, where Kyrgyzstan and Uzbekistan are also victims.\r\nThreat actors send a dupe email urging action on an upcoming press conference hosted by the NSC\r\nThreat actors use Dropbox to go undetected, leveraging the API as their command and control center\r\nCPR spots malicious actions taken by threat actors, including access of victims’ desktop files, deployment\r\nof scanner tool, and execution of Windows built-in networking utility tools\r\nCheck Point Research (CPR) has observed an ongoing cyber espionage operation targeting the Afghan\r\ngovernment. Believed to be the Chinese-speaking hacker group known as “IndigoZebra”, the threat actors behind\r\nthe espionage leveraged Dropbox, the popular cloud storage service, to infiltrate the Afghan National Security\r\nCouncil (NSC). Further investigation by CPR revealed that this is the latest in longer-running activity targeting\r\nother Central Asian countries, Kyrgyzstan and Uzbekistan, since at least 2014.\r\n“From the Office of the President of Afghanistan”\r\nCPR’s investigation began in April, when an official at the Afghanistan National Security Council received an\r\nemail allegedly from the Administrative Office of the President of Afghanistan. The email urged the recipient to\r\nreview the modifications in the document related to an upcoming press conference by the NSC.\r\nFigure 1. Malicious email sent to the Afghan government employees\r\nhttps://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group/\r\nPage 1 of 4\n\nInfection Chain Begins with Ministry-to-Ministry Deception\r\nCPR summarized the methodology of the cyber espionage in the following steps:\r\n1. Send email under guise of high-profile entity. The threat actors orchestrated a ministry-to-ministry style\r\ndeception, where an email is sent to a high-profile target from the mailboxes of another high-profile victim.\r\n2. Lace malicious attachment. The threat actors add an archive file that contains malware, but pretends to be\r\na legitimate attachment. In this case, the email contained a password-protected RAR archive named NSC\r\nPress conference.rar.\r\n3. Open the first document. The extracted file, NSC Press conference.exe, acts as a dropper. The content of\r\nthe lure email suggests that the attached file is the document, hence, to reduce the suspicion of the victim\r\nrunning the executable, the attackers use the simple trick: the first document on the victim’s desktop is\r\nopened for the user upon the dropper execution. Whether the dropper found a document to open or not, it\r\nwill proceed to the next stage – drop the backdoor.\r\n4. Utilize Dropbox as a command and control center. The backdoor communicates with a preconfigured\r\nand unique to-every-victim folder on Dropbox. This serves as the address where the backdoor pulls further\r\ncommands and stores the information it steals.\r\nFigure 2: Diagram of Infection Chain\r\nhttps://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group/\r\nPage 2 of 4\n\nMask and Persist with Dropbox\r\nThe threat actors use the Dropbox API to mask their malicious activities, as no communication to abnormal\r\nwebsites takes place. The backdoor crafted by the threat actors creates a unique folder for the victim in an\r\nattacker-controlled Dropbox account. When the threat actors need to send a file or command to the victim\r\nmachine, the threat actors place them in the folder named “d”  in the victim’s Dropbox folder. The malware\r\nretrieves this folder and downloads all its contents to the working folder. The backdoor establishes persistence by\r\nsetting a registry key designed to run anytime a user logs on.\r\nCyber Espionage Actions Spotted by CPR\r\nIn this attack, some of the actions that CPR spotted included:\r\nDownload and execution of a scanner tool widely used by multiple APT actors, including the prolific\r\nChinese group APT10\r\nExecution of Windows built-in networking utility tools\r\nAccess to the victim’s files, especially documents located on the Desktop\r\nTargets: Afghanistan, Kyrgyzstan and Uzbekistan\r\nWhile CPR saw the Dropbox variant targeting Afghan government officials, the variants are focused on political\r\nentities in two particular Central Asian countries, Kyrgyzstan and Uzbekistan. CPR provides specific indicators of\r\nthe victimology in its technical report.\r\nFigure 3. Targeted Region\r\nhttps://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group/\r\nPage 3 of 4\n\nThe detection of cyber espionage continues to be a top priority for us. This time, we’ve detected an ongoing spear-phishing campaign targeting the Afghan government. We have grounds to believe that Uzbekistan and Kyrgyzstan\r\nhave also been victims. We’ve attributed our findings to a Chinese-speaking threat actor. What is remarkable here\r\nis how the threat actors utilized the tactic of ministry-to-ministry deception. This tactic is vicious and effective in\r\nmaking anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of\r\nsovereignty. Furthermore, it’s noteworthy how the threat actors utilize Dropbox to mask themselves from\r\ndetection, a technique that I believe we should all be aware of, and that we should all watch out for.  It’s possible\r\nthat other countries have also been targeted by this hacker group, though we don’t know how many or which\r\ncountries. Hence, we’re sharing a list of other possible domains used in the attack at this time, in hope that their\r\nnames can be leveraged by other cyber researchers for contribution to our own findings.\r\nSource: https://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-grou\r\np/\r\nhttps://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2021/07/01/cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group/"
	],
	"report_names": [
		"cyber-espionage-on-afghanistan-kyrgyzstan-and-uzbekistan-by-chinese-speaking-hacker-group"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-25T02:00:02.798626Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"HOGFISH",
				"ATK41",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"Menupass Team",
				"POTASSIUM",
				"Red Apollo",
				"Cloud Hopper",
				"BRONZE RIVERSIDE",
				"Granite Taurus",
				"STONE PANDA",
				"happyyongzi",
				"CVNX"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62f2206e-d8c6-49bb-86fc-63118ac2bf40",
			"created_at": "2022-10-25T16:07:23.725942Z",
			"updated_at": "2026-04-25T02:00:04.578719Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [
				"G0136"
			],
			"source_name": "ETDA:IndigoZebra",
			"tools": [
				"Dropbox"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abb4a645-181b-4237-825f-447ac9b0c16d",
			"created_at": "2022-10-25T15:50:23.764656Z",
			"updated_at": "2026-04-25T02:00:04.189794Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [
				"IndigoZebra"
			],
			"source_name": "MITRE:IndigoZebra",
			"tools": [
				"xCaon",
				"BoxCaon",
				"PoisonIvy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-25T02:00:03.329158Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"AysncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f33ce87f-9514-447c-aba2-ff3e4e9e5b71",
			"created_at": "2023-11-07T02:00:07.097748Z",
			"updated_at": "2026-04-25T02:00:03.293475Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [],
			"source_name": "MISPGALAXY:IndigoZebra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-25T02:00:04.101348Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1776997141,
	"ts_updated_at": 1777083574,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83d2c2a0564376ee6da0dd7b1a1f34f8f92bcd09.pdf",
		"text": "https://archive.orkl.eu/83d2c2a0564376ee6da0dd7b1a1f34f8f92bcd09.txt",
		"img": "https://archive.orkl.eu/83d2c2a0564376ee6da0dd7b1a1f34f8f92bcd09.jpg"
	}
}