On 22 November 2023, Kaspersky's Securelist released a report on a previously unseen web shell that, according to Kaspersky's telemetry, targeted an unspecified entity within the Afghan government.
The Kaspersky report highlights the vector as a dynamic link library (DLL) named hrserv.dll, displaying the ability to initiate in-memory execution and employing anti-forensic techniques.
Variants of this malicious DLL have been identified dating back to 2021, suggesting prolonged development. However, attribution remains unknown. While Kaspersky notes the actor may be financially motivated, the analysis also suggests behavior consistent with an advanced persistent threat, potentially an unidentified state-sponsored actor linked to a government yet to be identified.
Kaspersky's analysis of the malicious code reveals interesting idiosyncrasies, including typos in English language text strings. Additionally, parameters used in the hrserv.dll file specify that the Google search interface should be displayed in English, but the search results should be displayed in Traditional Chinese.