VYPR
breachPublished May 31, 2026· Updated Jun 4, 2026· 4 sources

SideCopy APT Targets Afghanistan Finance Ministry With XenoRAT in Operation XENOFISCAL

Pakistan-linked SideCopy APT targeted Afghanistan's Ministry of Finance with XenoRAT malware, compromising all 34 provincial finance directorates via spear-phishing emails.

A Pakistan-linked threat group known as SideCopy has launched a focused cyberattack against Afghanistan's Ministry of Finance, deploying a persistent remote access tool called XenoRAT. The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.

The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers. The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets' working environment.

Analysts from Seqrite identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence. SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions. Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.

Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload. This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.

The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany. This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.

The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers. This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks. Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.

Seqrite researchers revealed that the attackers used spear-phishing emails with ZIP archives containing a malicious file disguised as an internal government document written in Pashto, which installed XenoRAT via DLL side-loading. The campaign targeted not only the Ministry of Finance but also provincial revenue and finance directorates, with infrastructure hosted on compromised Afghan government servers to evade detection. This operation demonstrates SideCopy's ongoing focus on Afghan government entities and its use of customized malware toolkits.

This new report details the specific technical execution of the Operation XENOFISCAL campaign, revealing that the initial vector involves a ZIP archive containing a malicious LNK file with a Pashto filename. The LNK file leverages mshta.exe to fetch a remote HTA file, leading to obfuscated JavaScript execution in memory and the deployment of Xeno RAT 1.8.7 via a DLL-based loader. The malware also establishes persistence by mimicking Microsoft Edge in the system registry.

The new reporting from Dark Reading details how the SideCopy APT group leveraged a compromised domain within Afghanistan's Ministry of Communication and Information Technology's IP space to host their malicious payloads. This tactic allowed their C2 traffic to blend in with legitimate government operations, demonstrating a sophisticated approach to evading detection by masquerading their malicious activity within the nation's own digital infrastructure.

Synthesized by Vypr AI