Pakistan-Linked SideCopy Targets Afghanistan’s Finance Ministry with Xeno RAT
Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign orchestrated by the Pakistan-affiliated threat group known as SideCopy. This operation, dubbed Operation XENOFISCAL, specifically targets Afghanistan’s Ministry of Finance, deploying the open-source remote access trojan (RAT) called Xeno RAT.
The attack initiates with a spear-phishing email containing a ZIP archive. Inside this archive is a malicious Windows Shortcut (LNK) file, strategically named in Pashto—the primary language of Afghan government communications—to enhance its credibility and increase the likelihood of the recipient opening it.
Upon execution, the LNK file utilizes mshta.exe to retrieve a remote HTML Application (HTA) from a compromised Afghan educational domain. This leads to the in-memory execution of obfuscated JavaScript code. To maintain persistence on the infected system, the malware modifies the Windows Registry, masquerading as Microsoft Edge. Simultaneously, it deploys Xeno RAT version 1.8.7 and presents a decoy document to divert the user’s attention.
Xeno RAT is a versatile tool that establishes a TCP connection with a remote server, allowing the attacker to execute a wide range of commands. Its capabilities include:
– Loading and executing external DLL modules
– Transmitting data to the command-and-control server
– Scheduling tasks to relaunch the malware
– Gathering information about installed antivirus software
– Utilizing SOCKS5 proxy for network tunneling
– Performing file operations such as reading, writing, and deleting
– Logging keystrokes to capture sensitive information
– Taking screenshots of the user’s desktop
– Monitoring clipboard activities
– Accessing webcam and microphone feeds
– Removing persistence mechanisms to evade detection
– Uninstalling itself from the host system when necessary
SideCopy operates under the broader umbrella of Transparent Tribe (also known as APT36), a group with a history of targeting South Asian entities. In April 2025, SideCopy was linked to attacks on various sectors in India, deploying malware such as Xeno RAT, Spark RAT, and the previously undocumented CurlBack RAT.
This recent campaign underscores a persistent pattern of cyber-espionage activities aimed at South Asian governmental institutions. The use of Pashto-language lures and the targeting of specific Afghan government departments indicate a deep understanding of the regional context and a strategic approach to infiltrating sensitive networks.
The disclosure of this campaign coincides with reports of another targeted phishing operation. This separate campaign leverages weaponized Linux .desktop files to infiltrate Indian military infrastructure, using lures related to armored vehicle procurement contracts. This operation is also attributed to Transparent Tribe, highlighting the group’s continued focus on South Asian defense and governmental sectors.
Security researchers emphasize the importance of vigilance against such sophisticated threats. Organizations are advised to implement robust cybersecurity measures, conduct regular security awareness training, and maintain up-to-date systems to mitigate the risks posed by these advanced persistent threats.
