Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
SideCopy Targets Afghan Finance Ministry with Xeno RAT

SideCopy Targets Afghan Finance Ministry with Xeno RAT

Posted on June 2, 2026 By CWS

Cybersecurity experts have recently revealed an intricate spear-phishing initiative attributed to the Pakistan-affiliated SideCopy group. This operation specifically targets Afghanistan’s Ministry of Finance using the open-source remote access trojan, Xeno RAT.

Targeted Spear-Phishing Campaign

The attack begins with a spear-phishing method, distributing a ZIP file that contains a malicious LNK file. This file is named in Pashto, the primary language used within Afghan governmental circles, indicating the attackers’ in-depth understanding of their target environment, as explained by Seqrite Labs researcher Dixit Panchal.

Beyond the Ministry of Finance, the campaign also focuses on provincial revenue and finance directorates, as well as government officials and employees who are Pashto speakers. This operation has been coined “Operation XENOFISCAL.”

SideCopy’s Broader Objectives

SideCopy, a group linked to the broader Transparent Tribe or APT36 network, has employed various malware families in its efforts to extract sensitive information. The group was previously associated with attacks in India in April 2025, utilizing Xeno RAT, Spark RAT, and CurlBack RAT.

This recent operation against Afghanistan is part of a larger pattern of cyber malfeasance targeting South Asian entities, demonstrating the group’s persistent threats in the region.

Xeno RAT’s Sophisticated Techniques

Upon execution, the LNK file uses “mshta.exe” to retrieve a remote HTML Application from a compromised Afghan education domain. This leads to the execution of obfuscated JavaScript, establishing persistence through registry manipulation and mimicking Microsoft Edge. Additionally, Xeno RAT 1.8.7 is deployed, alongside a decoy document, via a DLL-based loader.

Xeno RAT connects to a remote server, executing commands from its operators, and is capable of loading external DLL modules, performing file operations, logging keystrokes, and more. It also supports SOCKS5 proxy-based network tunneling and can uninstall itself to evade detection.

Related Operations in India

Concurrent with the Afghan operation, new details have emerged about a phishing campaign targeting Indian military infrastructure. This campaign involves weaponized Linux .desktop files and is linked to Transparent Tribe. It uses contract-related lures to infiltrate Indian-armored vehicle procurement operations.

Security researcher R.D. Tarun reported that this campaign employs WhatsApp-based social engineering tactics and staged shell payload delivery. Once the malicious launcher is executed, it triggers a complex infection chain using Golang-based ELF implants, tracked as DeskRAT.

These operations highlight the ongoing cyber threats posed by groups like SideCopy and Transparent Tribe, emphasizing the need for heightened vigilance and robust cybersecurity measures in the region.

The Hacker News Tags:Afghanistan, APT36, Cyberattack, Cybersecurity, Espionage, Pakistan, Pashto language, SideCopy, South Asia, spear-phishing, Transparent Tribe, Xeno RAT

Post navigation

Previous Post: Join Free Webinar on AI-Powered Web App Security
Next Post: Hackers Exploit Meta AI to Seize Instagram Accounts

Related Posts

Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack The Hacker News
Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 The Hacker News
How to Close Threat Detection Gaps: Your SOC’s Action Plan How to Close Threat Detection Gaps: Your SOC’s Action Plan The Hacker News
Google Integrates Rust DNS Parser in Pixel 10 for Security Google Integrates Rust DNS Parser in Pixel 10 for Security The Hacker News
Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps The Hacker News
Anthropic Resumes Claude Fable 5 After Export Ban Lifted Anthropic Resumes Claude Fable 5 After Export Ban Lifted The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark