Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
SideCopy Launches XenoRAT Cyberattack on Afghan Finance

SideCopy Launches XenoRAT Cyberattack on Afghan Finance

Posted on June 1, 2026 By CWS

A cyber threat group linked to Pakistan, known as SideCopy, has executed a targeted attack on Afghanistan’s Ministry of Finance using a remote access tool called XenoRAT. This operation, named Operation XENOFISCAL, focused on Afghanistan’s provincial finance offices, known as Mustoufiats, which play a crucial role in the country’s financial administration.

Operation XENOFISCAL Unveiled

The cyberattack commenced with a spear phishing attempt that delivered a ZIP archive. Within this archive was a malicious shortcut file, cleverly disguised as a PDF document with a filename in Pashto, the primary language of Afghan government officials. The deceptive file masqueraded as a list of seminar invitees, suggesting that the attackers had a deep understanding of their targets’ professional environment.

Analysts from Seqrite, in collaboration with Cyber Security News, traced this attack to the SideCopy APT cluster with moderate to high certainty. This group is known to operate under the broader Transparent Tribe umbrella, or APT36, which has a history of targeting governmental bodies in South Asia. Seqrite Labs has been monitoring this threat as part of their global efforts to track spear phishing campaigns.

Technical Aspects of the Attack

When the victim engaged with the shortcut file, the malware exploited a legitimate Windows utility, mshta.exe, to connect to a compromised Afghan educational domain and retrieve a remote payload. This approach, known as Living-off-the-Land, allows cybercriminals to use existing system tools to circumvent security measures. Subsequently, the malware decoded JavaScript within memory and embedded itself into the Windows Registry, camouflaging its persistence as a Microsoft Edge process.

The culmination of the attack saw the deployment of XenoRAT 1.8.7, an open-source remote access trojan, which established an encrypted connection to a server in Frankfurt, Germany. This server acted as a command-and-control hub, separate from the initial delivery domain to ensure sustained access even if initial defenses were compromised.

Strategic Implications and Recommendations

The attack was methodically structured across five stages, each designed to evade detection. The final payload exploited reflective loading to execute without writing to disk, complicating its identification by traditional antivirus systems. XenoRAT, once active, connected using encrypted TCP traffic and maintained persistence using both scheduled tasks and registry keys.

The attackers demonstrated prior knowledge by dropping a legitimate Afghan Ministry of Finance staff directory during execution, indicating reconnaissance through previous breaches. The use of local Afghan infrastructure for payload delivery helped the malware blend with legitimate traffic, evading standard network security tools.

Conclusion and Security Measures

Security professionals are advised to monitor for abnormal mshta.exe activities, unexpected registry entries mimicking system processes, and outbound traffic to unfamiliar European servers. Implementing application allow-listing, routine audits of scheduled tasks, and restricting HTA execution from public directories are recommended preventative measures. Seqrite has released specific detection signatures to aid in identifying compromised systems.

Indicators of Compromise (IoCs) suggest a high level of sophistication in both execution and planning. Security teams must remain vigilant and proactive to counter such evolving threats.

Cyber Security News Tags:Afghanistan, APT36, Cyberattack, Cybersecurity, digital security, Finance Ministry, living-off-the-land, Malware, remote access tool, Seqrite, SideCopy, spear-phishing, threat intelligence, Transparent Tribe, XenoRAT

Post navigation

Previous Post: Dragos Enhances Cybersecurity with Phosphorus Acquisition
Next Post: New Flaws and AI Threats Shape Cybersecurity Landscape

Related Posts

OpenAI Boosts AI Security by Acquiring Promptfoo OpenAI Boosts AI Security by Acquiring Promptfoo Cyber Security News
Django App Vulnerabilities Chained to Execute Arbitrary Code Remotely Django App Vulnerabilities Chained to Execute Arbitrary Code Remotely Cyber Security News
Wendy’s Franchise Database Allegedly Compromised Wendy’s Franchise Database Allegedly Compromised Cyber Security News
Critical Samba RCE Vulnerability Enables Arbitrary Code Execution Critical Samba RCE Vulnerability Enables Arbitrary Code Execution Cyber Security News
New XWorm V6 Variant’s With Anti-Analysis Capabilities Attacking Windows Users in The Wild New XWorm V6 Variant’s With Anti-Analysis Capabilities Attacking Windows Users in The Wild Cyber Security News
Halo Security’s Platform Wins Top MSP Award Again Halo Security’s Platform Wins Top MSP Award Again Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats
  • Daxin Malware Reappears in Taiwan with New Stupig Backdoor
  • Next.js Enhances Security with Monthly Update Program

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats
  • Daxin Malware Reappears in Taiwan with New Stupig Backdoor
  • Next.js Enhances Security with Monthly Update Program

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark