SideCopy APT Targets Afghanistan Finance Ministry With XenoRAT in Operation XENOFISCAL
Pakistan-linked SideCopy APT targeted Afghanistan's Ministry of Finance with XenoRAT malware, compromising all 34 provincial finance directorates via spear-phishing emails.
A Pakistan-linked threat group known as SideCopy has launched a focused cyberattack against Afghanistan's Ministry of Finance, deploying a persistent remote access tool called XenoRAT. The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.
The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers. The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets' working environment.
Analysts from Seqrite identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence. SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions. Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.
Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload. This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.
The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany. This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.
The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers. This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks. Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.