Cybersecurity researchers have identified a targeted spear-phishing campaign aimed at Afghanistan’s Ministry of Finance, with the operation linked to the Pakistan-aligned SideCopy threat group. The campaign uses the open-source remote access trojan Xeno RAT to gain access to targeted systems and steal sensitive information.
According to researchers, the attack begins with a spear-phishing email containing a ZIP archive that includes a malicious Windows shortcut (LNK) file. The file uses a carefully crafted Pashto-language name, a tactic believed to increase credibility among Afghan government officials and employees.
The campaign, dubbed Operation XENOFISCAL, has also targeted provincial revenue and finance departments, Pashto-speaking government personnel, and employees working in regional government offices. Researchers noted that the use of Pashto demonstrates a strong understanding of the target environment and government communication practices.
SideCopy is considered a Pakistan-linked cyber threat group operating under the broader Transparent Tribe, also known as APT36. The group has previously been associated with cyber espionage campaigns across South Asia and has used multiple malware families, including Xeno RAT, Spark RAT, and CurlBack RAT.
Researchers said the attack chain uses the Windows utility mshta.exe to retrieve a malicious HTML Application (HTA) file from a compromised Afghan education-related domain. The file then executes obfuscated JavaScript directly in memory, helping the malware avoid detection.
To maintain long-term access, the malware creates registry-based persistence mechanisms disguised as Microsoft Edge processes. It then deploys Xeno RAT 1.8.7 along with a decoy document intended to distract victims while the infection proceeds in the background.
Once installed, Xeno RAT can communicate with a remote command-and-control server and perform a wide range of malicious activities. These include file manipulation, keystroke logging, screenshot capture, clipboard monitoring, webcam and microphone surveillance, antivirus reconnaissance, network tunneling through SOCKS5 proxies, and the execution of additional malware modules.
The disclosure comes as researchers also reported another campaign attributed to Transparent Tribe that targeted India’s military ecosystem. That operation reportedly used weaponized Linux .desktop files, WhatsApp-based social engineering, and a Golang-based malware known as DeskRAT to compromise defense-related targets.
Researchers believe both campaigns highlight the continued evolution of cyber espionage activities targeting government and defense organizations across South Asia.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.