Meta, the company formerly known as Facebook, announced Tuesday that it took action against four separate malicious cyber groups from Pakistan and Syria who were found targeting people in Afghanistan, as well as journalists, humanitarian organizations, and anti-regime military forces in the West Asian country.

The Pakistani threat actor, dubbed SideCopy, is said to have used the platform to single out people with ties to the Afghan government, military and law enforcement in Kabul.

The campaign, which Meta dubbed as a “well-resourced and persistent operation,” involved sending malicious links, often shortened using URL shortener services, to websites hosting malware between April and August of 2021, what with the operators posing as young women and tricking the recipients with romantic lures in a bid to make them click on phishing links or download trojanized chat applications.

Meta’s threat intelligence analysts said these apps were a front for two distinct malware strains, a remote access trojan named PJobRAT, which was previously found targeting the Indian military forces, and a previously undocumented implant dubbed Mayhem that’s capable of retrieving contact lists, text messages, call logs, location information, media files, device metadata, and even scrape content on the device’s screen by abusing accessibility services.

Among other SideCopy’s tactics, the hacker group engaged in a number of nefarious activities, including operating rogue app stores, compromising legitimate websites to host malicious phishing pages that were designed to manipulate people into giving up their Facebook credentials. The group was purged from Facebook in August.

Furthermore, Meta also said it disrupted three hacking networks linked to the Syrian government and specifically Syria’s Air Force Intelligence —

  • Syrian Electronic Army aka APT-C-27, which targeted humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army with phishing links to deliver a mix of commercially available and custom malware such as njRAT and HmzaRat that are engineered to harvest sensitive user information.
  • APT-C-37, which targeted people linked to the Free Syrian Army and military personnel affiliated with opposition forces with a commodity backdoor known as SandroRAT and an in-house developed malware family called SSLove via social engineering schemes that duped victims into visiting websites masquerading as Telegram, Facebook, YouTube, and WhatsApp as well as content focussed on Islam.
  • A government-linked unnamed hacking group that targeted minority groups, activists, opposition in Southern Syria, Kurdish journalists, and members of the People’s Protection Units and Syria Civil Defense, with the operation manifesting in the form of social engineering attacks that entailed sharing links to websites hosting malware-laced apps mimicking WhatsApp and YouTube that installed SpyNote and Spymax remote administration tools on the devices.

“To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers and law enforcement, and alerted the people who we believe were targeted by these hackers,” the social technology firm’s Mike Dvilyanski, head of cyber espionage investigations, and David Agranovich, director of threat disruption, said.