ON 27 January 2026, researchers revealed KazakRAT, a Windows-based remote access trojan used in a persistent, state-affiliated espionage campaign targeting government and financial entities in Kazakhstan and Afghanistan since at least August 2022. The malware is delivered via malicious MSI files and exists as a DLL-based implant that can download and run additional payloads, enumerate and collect host data, and exfiltrate files, with C2 communications described as unencrypted over HTTP.
Its operation relies on social engineering, including decoy documents such as flReport[.]doc posing as a presidential letter and a PDF claiming an Afghan official memo about mosque construction. In a notable turn, researchers hijacked one of the attackers’ C2 domains—dns.freiesasien[.]com—creating a sinkhole to redirect victim traffic and passively collect beaconing IPs.
Sinkhole telemetry showed likely targeting of government and financial sectors in the Karaganda region of Kazakhstan, with overlaps in tooling to Android espionage (XploitSpy) and potential ties to APT36, though no definitive link is claimed. According to the report, while the threat actor’s identity remains unconfirmed, the group is described as having low operational maturity but high persistence.