Pakistan Deploys Xeno RAT to Spy on Afghan Finance Ministry

A state-sponsored cyber-espionage campaign attributed to Pakistan-linked threat actors has been uncovered targeting Afghanistan's Ministry of Finance, leveraging the open-source Xeno RAT to establish covert remote access. The operation, analyzed by Resecurity's HUNTER unit, exploited relatively unsophisticated tactics, techniques, and procedures (TTPs) to infiltrate the ministry's network and exfiltrate sensitive financial and governmental data. Researchers noted that despite Afghanistan's growing digital connectivity, a porous cybersecurity posture left critical ministries exposed to commodity-grade malware.

Xeno RAT, a remote access trojan written in C# and publicly available on GitHub, has gained traction among state-aligned threat groups since its release in 2022. The malware supports a wide range of capabilities including keylogging, screen capture, file exfiltration, and remote shell execution. In this campaign, attackers used spear-phishing emails laced with malicious attachments to deliver the payload, establishing persistent command-and-control (C2) communication over encrypted channels. Once inside, the operators conducted lateral movement across the ministry's internal network, harvesting documents related to budgetary planning, international aid disbursement, and diplomatic correspondence.

The campaign highlights a recurring pattern in South Asian geopolitics where nation-state actors rely on off-the-shelf tooling rather than custom exploits to compromise high-value targets. Afghanistan's limited investment in endpoint detection and response (EDR) solutions, combined with outdated patching cycles, allowed the Xeno RAT implant to operate undetected for an extended period. Analysts at Resecurity emphasized that the attack chain required no zero-day vulnerabilities, instead chaining social engineering with basic persistence mechanisms such as scheduled tasks and registry modifications to maintain footholds.

For organizations seeking to assess their own exposure to RAT-style intrusions, defensive hygiene starts with visibility into network assets. Running a port scanner can help identify unexpected open services that may serve as C2 entry points, while a browser fingerprint test can reveal how easily an organization's clients can be tracked by surveillance-grade tooling. Additionally, security teams should leverage a email breach checker to confirm whether credentials tied to key personnel have appeared in known dumps, a common precursor to spear-phishing operations like the one observed against Kabul.