New ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government

A previously undocumented web shell named HrServ targeted an unspecified Afghan government entity in a possible advanced persistent threat (APT) attack. Kaspersky discovered the malware, which employs custom encoding methods and in-memory execution and has variants dating back to 2021. The attack chain involved PAExec remote administration tool pretending to be a Microsoft update. The malware also uses a “multifunctional implant” to erase forensic evidence, suggesting a financially motivated attack.