Cyber Threat Actor: Ghulam Jiwani

The threatactor known by the alias Ghulam Jiwani has been linked to a bribery and malware scheme targeting a major U.S. telecommunications provider. Open source reporting indicates the actor is based in Pakistan, although no further personal details have been publicly disclosed. The alias appears in connection with the 2012 incident involving AT&T employees who accepted illicit payments. No other aliases or affiliations have been confirmed in the available sources.

The actor’s known activity focuses on the telecommunications sector, specifically targeting AT&T’s internal network and device unlocking processes. The scheme was driven by financial gain, as evidenced by the bribes paid to employees and the subsequent losses exceeding five million dollars annually for the carrier. No evidence of espionage or disruptive intent has been presented in the public reporting. The geographic scope of the targeting appears limited to the United States, where the victim company operates.

Initial access was achieved through the corruption of insider employees who were bribed to facilitate unauthorized phone unlocking. Once inside, the actor deployed keylogging malware designed to harvest credential data that could automate further unlocking operations. The malware also enabled the creation of rogue wireless access points, which provided persistent pathways into the AT&T network. These tactics illustrate a reliance on social engineering, custom malware, and wireless infrastructure abuse to maintain control.

Attribution points to foreign conspirators who coordinated the bribery and malware deployment, with the primary orchestrator later arrested and extradited to face criminal charges in the United States. The AT&T case represents the only publicly reported operation associated with Ghulam Jiwani, serving as a representative example of the actor’s methodology. AT&T confirmed that no customer data was compromised during the incident, limiting the impact to financial and operational domains. No additional campaigns or broader criminal consortium have been identified in the current source material.