Hackers are targeting Afghan government employees with phishing emails disguised as official correspondence from the office of the country’s prime minister, researchers at the Indian cybersecurity firm Seqrite discovered.

The campaign, first detected in December, uses a decoy document crafted to resemble a legitimate government letter sent to Afghan ministries and administrative offices.

The document opens with a religious greeting and contains what appear to be official instructions related to financial reporting, along with a forged signature of a senior official within the prime minister’s office — a tactic meant to lure victims into opening the file.

Once opened, the document delivers a strain of malware dubbed FalseCub, which is designed to collect and exfiltrate data from infected computers, Seqrite said in a report released Monday.

Researchers found that the attackers relied on GitHub as a temporary hosting service for the malicious payload. A GitHub account created in late December was used to distribute the malware before the files were quietly removed once the operation concluded.

The hackers behind the campaign appear to have carried out extensive research into Afghan government institutions and entities linked to the Taliban. Seqrite identified multiple legal and administrative documents uploaded by the threat actor to the Scribd library, including Afghan government directives, Ministry of Defense communications, and U.S. asylum and human rights documents related to Afghanistan. Those materials may serve as future phishing lures, the researchers said.

The alleged threat actor used an alias — “Afghan Khan” — shared on other platforms including  Pinterest and Dailymotion, with at least one account linked to Pakistan. A shortened link used in the campaign was also uploaded from Pakistan and redirected victims to the GitHub repository hosting the malware, according to the researchers.

While Seqrite did not attribute the campaign to any specific country or known hacker group, researchers assessed the activity as the work of a “regionally focused threat actor with a low-to-moderate sophistication level.” The repeated reuse of online personas, they added, points to “an individual operator or small cluster rather than a mature state-sponsored APT.”

The campaign — which Seqrite tracks under the name Nomad Leopard — is not limited to Afghanistan and may expand to other countries, they warned.

“The threat actor is not very sophisticated but possesses multiple legal and government-related lure documents, which we believe may be used in future campaigns,” the researchers added.