APT Campaigns Targeting African Financial Infrastructure

This intelligence report documents observed threat campaigns targeting financial institutions across West Africa, with particular focus on Ghana, Nigeria, and Côte d'Ivoire during Q4 2025 — Q1 2026.

Executive Summary

Multiple threat actor clusters have been identified conducting targeted operations against banking systems, mobile money platforms, and fintech startups in the region. The campaigns demonstrate increasing sophistication with custom tooling and region-specific social engineering lures.

Observed TTPs (MITRE ATT&CK)

• Initial Access: Spearphishing (T1566.001) with financial regulatory lures
• Execution: PowerShell (T1059.001), Windows Management Instrumentation (T1047)
• Persistence: Registry Run Keys (T1547.001), Scheduled Tasks (T1053.005)
• Defense Evasion: Obfuscated Files (T1027), Process Injection (T1055)
• Collection: Keylogging (T1056.001), Screen Capture (T1113)
• Exfiltration: HTTPS C2 (T1071.001), DNS Tunneling (T1048.003)

Indicators of Compromise (IOCs)

domains:
  - update-central-bank[.]com
  - ghana-finregulator[.]org
  - ecowas-compliance[.]net
ip_addresses:

185.234.xx.xx
45.133.xx.xx

file_hashes_sha256:

a1b2c3d4e5f6...  # Loader DLL
f6e5d4c3b2a1...  # Keylogger module

phishing_subjects:

"Urgent: New AML Compliance Requirements"
"Bank of Ghana Regulatory Update Q1 2026"

Recommendations

1. Implement email filtering for domain impersonation
2. Deploy EDR with behavioral detection capabilities
3. Conduct regular threat hunting using provided IOCs
4. Establish regional threat intelligence sharing frameworks
5. Train staff on region-specific phishing lure identification