Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: pakistan (1 article)Clear

SideCopy (APT36) Operation XENOFISCAL hits Afghanistan Finance Ministry with Pashto-lure Xeno RAT via mshta.exe and Edge-mimicking persistence

Seqrite Labs has documented Operation XENOFISCAL, a campaign by the Pakistan-linked SideCopy group (under the Transparent Tribe / APT36 umbrella) targeting Afghanistan's Ministry of Finance, provincial revenue and finance directorates, and Pashto-speaking government officials. The attack opens with spear-phishing delivering a ZIP archive containing a malicious LNK file bearing a Pashto-language filename - a deliberate choice reflecting familiarity with Afghan government circles. The LNK uses mshta.exe to fetch a remote HTA from a compromised Afghan education domain, running obfuscated in-memory JavaScript. It establishes Registry persistence mimicking Microsoft Edge and drops Xeno RAT 1.8.7 plus a decoy document via a DLL loader. Xeno RAT supports keylogging, screenshots, and SOCKS5 tunneling.

Check
Hunt for LNK files with Pashto filenames, mshta.exe fetching remote HTA, Edge-mimicking Registry persistence, and Xeno RAT 1.8.7 TCP C2. Apply Seqrite IoCs in South Asia government environments.
Affected
Afghanistan's Ministry of Finance, provincial revenue/finance directorates, and Pashto-speaking government officials. SideCopy (APT36 umbrella) uses language-tailored spear-phishing reflecting deep target familiarity.
Fix
Block ZIP-with-LNK email attachments and restrict mshta.exe for standard users. Hunt for Xeno RAT scheduled-task persistence and SOCKS5 tunneling. Monitor compromised education-domain callbacks.