Pulse Detail — Threat Intelligence

PULSE NAME

Attack on *stan: Your malware, my C2

WHITE AlienVault 2026-01-30 Modified: 2026-03-01

IOCs

HIGH VOLUME

A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1113 T1204.002 T1566.001 T1082 T1005 T1016 T1059 T1083 T1057 T1547.001 T1056 T1071.001 T1105

MALWARE FAMILIES

KazakRAT XploitSpy

Indicators of Compromise (51)

All FileHash-SHA1 FileHash-MD5 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	04d1815f2e3c7b3005b7b3a40f2682ec6efbe41e	—	2026-01-30
FileHash-MD5	3e9a8d405f75d0ed8fc674bfaad1f87f	—	2026-01-30
FileHash-MD5	687442da7be02a2a72c36a9a1dbe9b97	—	2026-01-30
FileHash-MD5	70e6e936c54f968d92ee38806661a539	—	2026-01-30
FileHash-MD5	76a7822a243f338bf3c5bc5c53997c12	—	2026-01-30
FileHash-MD5	7aa12bf3606e1a74597be4237ce4a6e5	—	2026-01-30
FileHash-MD5	86d884956a0cab7f536b3b98edea0454	—	2026-01-30
FileHash-MD5	87343a65550b4f7a336b892cc9188e82	—	2026-01-30
FileHash-MD5	9b852f9a0fb735ca809f6895afc54dca	—	2026-01-30
FileHash-MD5	9f660ee1b0e68a140a629b4e8842da06	—	2026-01-30
FileHash-MD5	a3299674576e4210a0e78fb37a27c34f	—	2026-01-30
FileHash-MD5	c0e58474e8a8b84862b2ef50cfc7c799	—	2026-01-30
FileHash-MD5	db942ba4cf38912a07eacc9e01d56574	—	2026-01-30
FileHash-MD5	e36f27a13054f05da69761dc830b0db3	—	2026-01-30
FileHash-SHA1	1c12e5ffa26d24c75a3a8514ea01d0fa370ea64b	—	2026-01-30
FileHash-SHA1	22fb544e865f39e0c49ec45fa8eb945cfe33f1e2	—	2026-01-30
FileHash-SHA1	2ae3ef8bf721001e524fbcee12142733148aa28a	—	2026-01-30
FileHash-SHA1	3b3f0aa7cb8b1508ad9e5af3f31ad5ba2f3eee90	—	2026-01-30
FileHash-SHA1	47be58d97e07b6cd3a47ef838fa5ce142c41b407	—	2026-01-30
FileHash-SHA1	6012f7bb49d09ad305afc03fd8f1bf758473063a	—	2026-01-30
FileHash-SHA1	65d41af63b36cd8e379a74963834ebb2e589d9d7	—	2026-01-30
FileHash-SHA1	70c013a12ff34bcef21fb9f06d4e017b5060e530	—	2026-01-30
FileHash-SHA1	91ae6c321e0ae7d52966acf57832c07ceb559f08	—	2026-01-30
FileHash-SHA1	95f7ba8931159a575b0d8345ac8877165a5a2ec1	—	2026-01-30
FileHash-SHA1	9ece427a7917c2397269631407db79e80391651c	—	2026-01-30
FileHash-SHA1	be4751c606259634d0134b0671e8df8e12e219d1	—	2026-01-30
FileHash-SHA1	c7eb76b0f8dfe7c5a0d0e34582575811bf26b98e	—	2026-01-30
FileHash-SHA256	0669ad73c27e8c7eecf28db3a04ef1fd1738c2d11f1765c0e68444abd3ce7246	—	2026-01-30
FileHash-SHA256	0aa58a9fe4d78a20e7b4c77fc1df759953fbc2cff7403941aaa0e0fa136f9683	—	2026-01-30
FileHash-SHA256	0dd99aa29a8dc919fba9060efa771e6b825a7681f46a5bdc01b319348c19b69c	—	2026-01-30
FileHash-SHA256	291f364c0abece2454e9674f0b1f6721ed2a66d58420eb48f896883c6eb0717a	—	2026-01-30
FileHash-SHA256	312c9c3241409ec4ce4a75fb0e207aeb7de8004d0096b24bc727aa723eb47c54	—	2026-01-30
FileHash-SHA256	3a7685e59bb3e2a4d7e8f2e1b8cadcb030829b94d0a79ed1cefe648b7efb3d5a	—	2026-01-30
FileHash-SHA256	445eca3da9e518139ab6aa89bbd42998deb897f85e7c713bc997fe4d14d46492	—	2026-01-30
FileHash-SHA256	4551133e1cb63a7a2470c677d060ab255deb5c7242113079ea210e7f5a4880d0	—	2026-01-30
FileHash-SHA256	4e6f2ed696460c98b9148cb66ef8249bccd8b809b13b02100fcb444f1d13b228	—	2026-01-30
FileHash-SHA256	5e60ccf20044148cbb58c063c245979a19db6be1cfed6a3a018c7430a0c75e44	—	2026-01-30
FileHash-SHA256	683e8fedff2360d8fd4a5e0dfd4a5bc8b6d84fc7bcbff6bd86d1add19ce74133	—	2026-01-30
FileHash-SHA256	a7287c732c0559d49b9ad22f4fa843d3a837b33122e9195650e7f5331c27cf29	—	2026-01-30
FileHash-SHA256	b269225f6ff9e3b18ddd22df508b4daf26556b013b1527a809dc87eaca108ea9	—	2026-01-30
FileHash-SHA256	c164dcb81a6590b70ee6c0ab6a62da6e7a7c803bdc13a060beb84b33bd42c223	—	2026-01-30
FileHash-SHA256	c19b7adff6876fb527cc05f10137b8ada81ea8afc3dee760b5aa2016350bb3af	—	2026-01-30
FileHash-SHA256	d9e99210f813b0b265c3a5aa236128fe5cab5eb56da9a9551cd3f849d7b9405d	—	2026-01-30
FileHash-SHA256	df7b92b717abe121fb536a0eeb8e323cc9153f70250656dfc670c9650776afa7	—	2026-01-30
URL	http://keu.edu.kz/images/stories/NBRK/article_1109081029.doc	—	2026-01-30
domain	fsocmicrsoft.com	—	2026-01-30
hostname	dns.freiesasien.com	—	2026-01-30
hostname	dns.freisassien.com	—	2026-01-30
hostname	dns.microbwt.team	—	2026-01-30
hostname	dsn.mamurigovaf.site	—	2026-01-30
hostname	server.fsocmicrsoft.com	—	2026-01-30

References (1)

↗ https://ctrlaltintel.com/threat%20research/KazakRAT/