Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
Essential information
- Published
- 29/05/2026 12:49
- Modified
- 29/05/2026 12:40
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- afghanistan ministry of finance apt36 hta payload multi-stage loader pashto lure provincial targeting sidecopy spear phishing transparent tribe xenorat
- Tags
- 2026-05-29 afghanistan ministry of finance apt36 hta payload multi-stage loader pashto lure provincial targeting sidecopy spear-phishing transparent tribe xenorat
- Related entities
- 12 indicators, 12 observables, 1 intrusion sets (apt), 1 malware, 4 others
Description
SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.