IndigoZebra APT Group Uses Dropbox Service to Target Government Entities

Earlier, the experts were not conscious of this campaign, but they discovered something odd and started investigating the matter when they saw an email that has been sent out by among the workers of the Administrative Office of the President in Afghanistan to the staff members of the Afghanistan National Security Council (NSC).

Throughout a regular examination, the security expert of Check Point research has determined a spear-phishing campaign. According to the specialists, this project was a continuous campaign that is continually assaulting the Afghan federal government.

During the examination, it likewise came out that this is not the first time for this hacking group to conduct projects like these.

In this project, the hazard stars have actually used a unique-to-every-victim Dropbox folder in the account as it helps them to connect with a preconfigure. However, it likewise severs as an address, and during the attack, the risk actors keep other commands and gather the data that has been taken till now.

In addition, the danger stars utilize the legitimate Dropbox API, as it helps them to conceal the destructive traffic in the targets system. Whenever the danger actors wish to send a file or command to the victim device, they put them in a folder called “d” in the victims Dropbox folder.

Dropboxed in With the BoxCaon Dropper.

The experts have discovered some additional previous history of this hacking group, and they came to understand that the IndigoZebra has actually targeted at a number of central-Asian countries, that include Kyrgyzstan and Uzbekistan.

Not just this the earlier project that was called as BoxCaon has actually also targetted these 2 particular Central Asian Countries.

The security analyst has examined that whether the danger stars have set up Kaspersky on the victims gadget by browsing for the files in the folder of Kaspersky installation. If Kaspersky has actually not been set up then its clear that the resolution through computer registry has actually been installed, in case.


After investigating the project, the present project has targeted the Afghan government. However the specialists likewise came to understand that the threat actors are only targetting 2 particular Central Asian nations:-.

The researchers of the Israeli cybersecurity company that is the Check Point Research implicated that all the interventions that have occurred till now were traced beneath the name “IndigoZebra,” hacking group..

The professionals noted that the e-mail has actually requested the recipient to study the modifications in the report that are connected with the future interview of the NSC.

Moreover, the e-mail has some detail on it, that is the password-protected RAR archive named NSC Press conference.rar..

By moving and accepting commands that are composed to a specific folder in a Dropbox account, the danger actors use dropbox as a C&C Server.

The drawn out file, NSC Press conference.exe, serves as a dropper, and the content of the email indicates that the associated file is the file, and it will decrease the mistrust of the victim, operating the executable.

Dropbox as a C&C Server.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.

Infection Chain.

Not just this, however the danger actors prepare this Dropbox account prior to the operation, and the backdoor utilizes the Dropbox API with a strong recipient access token which has the capability to download, submit and execute files accordingly.

IndigoZebra APT Targets.

According to the report of the professionals, it may probable that this APT group has actually targeted other nations. It not clear yet that which countries or how numerous nations have been targeted by this APT danger group, but the professionals are attempting their best to know all the key information of this project.