Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.

Pulse ID: 6a196f2fd88de848b913e4da
Pulse Link: https://otx.alienvault.com/pulse/6a196f2fd88de848b913e4da
Pulse Author: AlienVault
Created: 2026-05-29 10:49:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Afghanistan #Bulgaria #CyberSecurity #Edge #Education #Government #InfoSec #Java #JavaScript #LNK #Microsoft #MicrosoftEdge #Mimic #OTX #OpenThreatExchange #Pakistan #Phishing #RAT #SideCopy #SpearPhishing #TransparentTribe #bot #AlienVault

📢⚠️#Pakistan-linked APT36 is flooding Indian government networks with AI-generated “#Vibeware”, disposable malware built with AI. The campaign abuses trusted platforms like Google Sheets, Slack, and Discord for C&C

Read: https://hackread.com/pakistan-apt36-indian-govt-networks-ai-vibeware/

#CyberSecurity #APT36 #TransparentTribe #Malware #AI #CyberAttack

Morning, cyber practitioners! It's been a busy start to the year with significant breaches impacting government contractors and healthcare, ongoing crypto theft linked to past compromises, and new insights into nation-state activity. We're also seeing an old Fortinet vulnerability still being actively exploited, and regulators are taking a hard look at AI deepfakes. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

- Sedgwick Government Solutions, a major federal contractor, confirmed a cyber incident affecting an isolated file transfer system, with the TridentLocker ransomware gang claiming 3.4 GB of data theft. The company states no wider systems or claims management servers were impacted.
- Covenant Health, a Catholic healthcare provider, has revised the impact of its May 2025 data breach to nearly 478,188 patients. The Qilin ransomware group claimed responsibility, having stolen 852 GB of data, including names, SSNs, health insurance, and treatment details.
- Trust Wallet's browser extension suffered an $8.5 million crypto theft from over 2,500 wallets, linked to exposed GitHub developer secrets and a leaked Chrome Web Store API key. Attackers published a malicious JavaScript file in a trojanised extension, bypassing internal review, and the incident is believed to be related to the "industry-wide" Shai-Hulud NPM supply chain attack.
- Ongoing cryptocurrency thefts, totalling over $35 million, have been traced back to the 2022 LastPass breach, with attackers gradually decrypting stolen encrypted vaults containing private keys and seed phrases. TRM Labs successfully "demixed" funds laundered through Wasabi Wallet's CoinJoin, linking the activity to the Russian cybercrime ecosystem.
- A cybercrook claims to be selling 139 GB of engineering data from Pickett and Associates, a firm serving major US utilities like Tampa Electric Company, Duke Energy Florida, and American Electric Power, for 6.5 Bitcoin. The alleged data includes LiDAR files, orthophotos, and design files, highlighting the increasing targeting of critical infrastructure.

🗞️ The Record | https://therecord.media/sedgwick-cyber-incident-ransomware
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/covenant-health-says-may-data-breach-impacted-nearly-478-000-patients/
🗞️ The Record | https://therecord.media/covenant-health-breach-qilin
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/critical_utility_files_for_sale/

New Threat Research and Tradecraft 🛡️

- Transparent Tribe (APT36) is targeting Indian governmental, academic, and strategic entities with new RAT attacks. The campaign uses weaponised LNK files disguised as PDFs, executing a remote HTA script that loads the RAT directly into memory, with persistence mechanisms adapting based on detected antivirus solutions.
- Cybercriminals are abusing Google Cloud's Application Integration "Send Email" feature to send phishing emails from a legitimate `noreply-application-integration@google[.]com` address, bypassing DMARC and SPF checks. The multi-stage attack uses Google Cloud services for redirection and a fake CAPTCHA before leading to a credential-stealing Microsoft login page.

📰 The Hacker News | https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html
🗞️ The Record | https://therecord.media/pakistan-linked-hacking-group-targets-indian-orgs
📰 The Hacker News | https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

Actively Exploited Vulnerability 🚨

- Over 10,000 Fortinet firewalls remain exposed to CVE-2020-12812, a critical (9.8 severity) five-year-old 2FA bypass vulnerability in FortiGate SSL VPN. Attackers are actively exploiting this flaw when username case is changed and LDAP is enabled, with state-sponsored groups and ransomware actors having leveraged it since at least 2021.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/

Regulatory Spotlight on AI Deepfakes ⚖️

- European regulators, including France and the UK, are considering action against Elon Musk's X after its AI tool Grok was used to create sexually explicit deepfakes of a minor. The UK plans to ban "nudification tools," intensifying the debate between European content moderation efforts and X's stance on free speech.

🗞️ The Record | https://therecord.media/europe-regulators-grok-france

Law Enforcement & Cybersecurity Recognition 🏅

- Gavin Webb of the National Crime Agency (NCA) has been awarded an OBE by King Charles for his strategic coordinating role in Operation Cronos, the international law enforcement effort that disrupted the LockBit ransomware group. LockBit was responsible for a quarter of all ransomware attacks between 2023-2024.
- British security researcher Jacob Riggs has secured Australia's rare Subclass 858 National Innovation visa after discovering a critical vulnerability in the Department of Foreign Affairs and Trade (DFAT) systems, demonstrating his commitment to cybersecurity.
- Ilya Lichtenstein, who pleaded guilty to money laundering related to the 2016 Bitfinex crypto theft, has been released early after serving approximately 14 months, attributing his release to Trump's First Step Act. His wife, Heather Morgan, also received an early release.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/nca_new_year_honours/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/brit_security_australia_visa/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/bitfinex_crypto_thief_released/

#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #APT #TransparentTribe #LockBit #Fortinet #Vulnerability #Deepfake #AI #CryptoTheft #LastPass #CriticalInfrastructure #InfoSec #IncidentResponse

Discover how #TransparentTribe (#APT36) uses a disguised DESKTOP dropper to deploy #DeskRAT, a Golang RAT, on BOSS Linux endpoints in India.

Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .

Read more 👉 https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/

📌 Transparent Tribe (APT36) has leveled up.
Their phishing campaigns now use malicious Linux & Windows desktop shortcuts to break into Indian government systems.
➡️ Fake PDF → Malware → Persistence → Data theft.
👀 Do you think orgs are ready for attacks that adapt across platforms?
💬 Share in the comments & follow @technadu for more cyber insights.

#TransparentTribe #APT36 #Linux #BOSS #CyberEspionage #Phishing #IndianGovt

Pakistan’s #APT36 Transparent Tribe targets Indian defence sector with new #Linux malware using fake PowerPoint files to breach BOSS Linux systems.

Read: https://hackread.com/pakistan-transparent-tribe-indian-defence-linux-malware/

#CyberSecurity #CyberAttack #Pakistan #India #TransparentTribe #Linux

[Threatview.io]⚡️Some domains likely used by #transparentTribe targetting #India

counciling[.]com
nbssedelhi[.]org
ashifdigitalseva[.]xyz
birthdeath[.]in
gov-certificate[.]com
viewss[.]click
admin-mcas-df[.]ms
admin-mcas[.]ms
mcas-df[.]ms
mcas[.]ms
verifycertificate[.]info
nimsme[.]org

#threatintel
#dfir
#apt

The Pakistan cyber actor #APT36 aka #TransparentTribe has been linked to a new set of attacks targeting the Indian government, defense, and aerospace sectors using cross-platform malware written in Python, Golang, and Rust.

"This cluster of activity spanned from late 2023 to April 2024 and is anticipated to persist," the BlackBerry Research and Intelligence Team said in a technical report published earlier this week.
https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors