Cybersecurity experts have recently revealed an intricate spear-phishing initiative attributed to the Pakistan-affiliated SideCopy group. This operation specifically targets Afghanistan’s Ministry of Finance using the open-source remote access trojan, Xeno RAT.
Targeted Spear-Phishing Campaign
The attack begins with a spear-phishing method, distributing a ZIP file that contains a malicious LNK file. This file is named in Pashto, the primary language used within Afghan governmental circles, indicating the attackers’ in-depth understanding of their target environment, as explained by Seqrite Labs researcher Dixit Panchal.
Beyond the Ministry of Finance, the campaign also focuses on provincial revenue and finance directorates, as well as government officials and employees who are Pashto speakers. This operation has been coined “Operation XENOFISCAL.”
SideCopy’s Broader Objectives
SideCopy, a group linked to the broader Transparent Tribe or APT36 network, has employed various malware families in its efforts to extract sensitive information. The group was previously associated with attacks in India in April 2025, utilizing Xeno RAT, Spark RAT, and CurlBack RAT.
This recent operation against Afghanistan is part of a larger pattern of cyber malfeasance targeting South Asian entities, demonstrating the group’s persistent threats in the region.
Xeno RAT’s Sophisticated Techniques
Upon execution, the LNK file uses “mshta.exe” to retrieve a remote HTML Application from a compromised Afghan education domain. This leads to the execution of obfuscated JavaScript, establishing persistence through registry manipulation and mimicking Microsoft Edge. Additionally, Xeno RAT 1.8.7 is deployed, alongside a decoy document, via a DLL-based loader.
Xeno RAT connects to a remote server, executing commands from its operators, and is capable of loading external DLL modules, performing file operations, logging keystrokes, and more. It also supports SOCKS5 proxy-based network tunneling and can uninstall itself to evade detection.
Related Operations in India
Concurrent with the Afghan operation, new details have emerged about a phishing campaign targeting Indian military infrastructure. This campaign involves weaponized Linux .desktop files and is linked to Transparent Tribe. It uses contract-related lures to infiltrate Indian-armored vehicle procurement operations.
Security researcher R.D. Tarun reported that this campaign employs WhatsApp-based social engineering tactics and staged shell payload delivery. Once the malicious launcher is executed, it triggers a complex infection chain using Golang-based ELF implants, tracked as DeskRAT.
These operations highlight the ongoing cyber threats posed by groups like SideCopy and Transparent Tribe, emphasizing the need for heightened vigilance and robust cybersecurity measures in the region.
