Overview A new cyber‑espionage campaign, codenamed Operation XENOFISCAL, has been uncovered targeting Afghanistan’s Ministry of Finance and provincial revenue directorates. The campaign is attributed to the Pakistan‑aligned SideCopy group, a sub‑cluster of Transparent Tribe (APT36), known for its persistent targeting of South Asian government and defense entities.
Researchers at Seqrite Labs revealed that the attackers used Pashto‑language spear‑phishing lures to deliver the open‑source Xeno RAT 1.8.7, reflecting deep familiarity with Afghan administrative environments.
Attack Chain Breakdown
The campaign begins with a ZIP archive containing a malicious Windows Shortcut (LNK) file disguised with a Pashto filename. Once executed, the infection chain unfolds as follows:
| Stage | Technique | Objective |
|---|---|---|
| Spear‑Phishing Delivery | ZIP archive with LNK file | Initial compromise via social engineering |
| Remote HTA Fetch | mshta.exe retrieves HTML Application from compromised Afghan education domain | Executes obfuscated JavaScript in memory |
| Persistence Establishment | Registry‑based persistence mimicking Microsoft Edge | Ensures malware survives reboot |
| Payload Deployment | DLL‑based loader drops Xeno RAT 1.8.7 and decoy document | Distraction and remote‑access setup |
| Command & Control | TCP connection to remote server | Executes operator commands and data exfiltration |
Technical Insights
Xeno RAT is a modular remote access trojan capable of:
- Loading external DLL modules for dynamic functionality.
- Executing shell commands and managing files.
- Logging keystrokes, taking screenshots, and monitoring clipboard activity.
- Tracking webcam and microphone usage.
- Establishing SOCKS5 proxy tunnels for covert network communication.
- Deleting persistence and self‑uninstalling to evade forensics.
This multi‑layered design allows SideCopy to maintain stealthy control over infected endpoints while blending into legitimate network traffic.
Regional Context
SideCopy’s operations are part of a broader Transparent Tribe campaign targeting South Asian entities. Previous attacks in India leveraged Xeno RAT, Spark RAT, and CurlBack RAT, while recent activity has expanded to Linux‑based DeskRAT attacks against Indian military infrastructure.
The use of Pashto language lures and Afghan education domains demonstrates localized social engineering adaptation, a hallmark of state‑aligned espionage groups seeking regional intelligence advantage.
Mitigation Steps
Organizations in the region should:
- Block mshta.exe execution and monitor for HTA‑based payloads.
- Audit registry entries mimicking Microsoft Edge.
- Inspect network traffic for anomalous TCP connections.
- Train staff on localized phishing lures, especially Pashto‑language attachments.
- Deploy endpoint detection and response (EDR) to identify RAT behavior patterns.
Expert in the Cloud Insight
Operation XENOFISCAL underscores how regional language targeting and open‑source malware adaptation are reshaping modern espionage. By weaponizing Xeno RAT and leveraging trusted Afghan domains, SideCopy demonstrates the growing sophistication of state‑aligned cyber actors in South Asia.
For defenders, the lesson is clear: contextual threat intelligence — understanding linguistic, cultural, and infrastructural nuances — is now essential to counter nation‑state operations.
Leave a Reply