VERY IMPORTANT

A threat group is targeting Afghan government employees using a fake lure mimicking an official government document. The campaign, named Operation Nomad Leopard, uses a malicious ISO file containing a PDF decoy, LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file to display the PDF and run the malware, which establishes persistence and connects to a command and control server. The malware performs system reconnaissance, file enumeration, and data exfiltration. The threat actor, believed to be regionally focused with low-to-moderate sophistication, uses GitHub for malware distribution and has connections to Pakistan. The campaign demonstrates careful attention to detail in creating convincing lures and leverages legitimate platforms for malicious purposes.