Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
Operation XENOFISCAL is a targeted malware campaign by the Pakistan-linked SideCopy APT group against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack uses spear phishing with Pashto-language LNK files that execute mshta. exe to retrieve remote HTA payloads from compromised Afghan education infrastructure. The multi-stage infection chain uses obfuscated JavaScript and establishes persistence via registry keys mimicking Microsoft Edge. The final payload is XenoRAT 1. 8. 7, which communicates with bulletproof hosting in Bulgaria. The campaign leverages detailed knowledge of the target environment, including decoy documents in Dari and Pashto listing provincial finance officials. Infrastructure analysis shows staging within Afghan government IP space and overlaps with previous SideCopy operations. No known exploits or patches are indicated, and the threat is assessed as medium severity.
AI Analysis
Technical Summary
SideCopy, a Pakistan-linked APT under the Transparent Tribe umbrella, conducted a spear phishing campaign targeting Afghanistan's Ministry of Finance and provincial revenue directorates. The attack initiates with a Pashto-language LNK file disguised as a staff directory document, which runs mshta.exe to fetch remote HTA payloads hosted on compromised Afghan educational domains. The infection chain involves obfuscated JavaScript and registry-based persistence that mimics Microsoft Edge to evade detection. The payload deployed is XenoRAT version 1.8.7, which beacons to bulletproof hosting infrastructure located in Bulgaria. The campaign demonstrates precise targeting using decoy documents in local languages containing contact details of provincial finance officials. Infrastructure overlaps with prior SideCopy activity and includes deliberate staging within Afghan government IP ranges. There is no indication of a patch or remediation from the vendor, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables persistent remote access to targeted systems within Afghanistan's Ministry of Finance and provincial revenue directorates via XenoRAT malware. This could allow the threat actor to conduct espionage, data exfiltration, or further network compromise. The use of localized spear phishing lures and infrastructure within Afghan government IP space increases the likelihood of successful infection. The malware's persistence mechanism and use of bulletproof hosting complicate detection and removal. However, no direct evidence of exploitation beyond infection vectors is provided, and no known exploits or vulnerabilities are indicated.
Mitigation Recommendations
No official patch or remediation is available for this threat as it involves targeted spear phishing and malware deployment rather than a software vulnerability. Organizations should focus on user awareness training to recognize spear phishing attempts, especially those using localized language lures. Monitoring and blocking known indicators of compromise such as the listed IP addresses, domains, and file hashes can help detect and prevent infection. Incident response should include removal of registry persistence mechanisms and network containment. Since this is a targeted campaign, tailored defensive measures aligned with the threat intelligence are recommended. Patch status is not applicable; check vendor advisories or threat intelligence updates for any new mitigation guidance.
Affected Countries
Afghanistan
Indicators of Compromise
- ip: 103.132.98.224
- hash: 3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01
- domain: abimj.edu.af
- hash: 99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d
- hash: 0b937b7da4602a8aa5346681b13a3466
- hash: 14ce728a416b1f13e8645f3f7b860a37
- hash: c7e18465db47d364bf9b1f56ab0465a649ec6bfb
- hash: dcac34657f59ac8e99edcc1d1aacc618a5131aa9
- hash: 0019212f25eb04bbb33bb194879c095265db7855d6003bdd777cf0cbb90eb772
- hash: 194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14
- hash: 5833917bd137804f5a021d2cb37adfe5c4b7b67dbb06d59c3b9c5cf393835e45
- hash: 8f2d979ef33b2900351c94c7335275a9342c75189e1a901998e90a539e944a1a
- hash: 9ae3d785486022af82ea92e51b26e3f55c1bba88a7be2ad9790f4240e8499d14
- hash: a63e90ee57a1f213a8fe76ef1a6cff5ae9ed7ebceda258431533825e648c0c67
- hash: df9173a28c0b0b878c10a53d35cd7ce6f6ed66d207b6b7c4ff723721f1c027ab
- ip: 103.132.98.226
Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
Description
Operation XENOFISCAL is a targeted malware campaign by the Pakistan-linked SideCopy APT group against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack uses spear phishing with Pashto-language LNK files that execute mshta. exe to retrieve remote HTA payloads from compromised Afghan education infrastructure. The multi-stage infection chain uses obfuscated JavaScript and establishes persistence via registry keys mimicking Microsoft Edge. The final payload is XenoRAT 1. 8. 7, which communicates with bulletproof hosting in Bulgaria. The campaign leverages detailed knowledge of the target environment, including decoy documents in Dari and Pashto listing provincial finance officials. Infrastructure analysis shows staging within Afghan government IP space and overlaps with previous SideCopy operations. No known exploits or patches are indicated, and the threat is assessed as medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SideCopy, a Pakistan-linked APT under the Transparent Tribe umbrella, conducted a spear phishing campaign targeting Afghanistan's Ministry of Finance and provincial revenue directorates. The attack initiates with a Pashto-language LNK file disguised as a staff directory document, which runs mshta.exe to fetch remote HTA payloads hosted on compromised Afghan educational domains. The infection chain involves obfuscated JavaScript and registry-based persistence that mimics Microsoft Edge to evade detection. The payload deployed is XenoRAT version 1.8.7, which beacons to bulletproof hosting infrastructure located in Bulgaria. The campaign demonstrates precise targeting using decoy documents in local languages containing contact details of provincial finance officials. Infrastructure overlaps with prior SideCopy activity and includes deliberate staging within Afghan government IP ranges. There is no indication of a patch or remediation from the vendor, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables persistent remote access to targeted systems within Afghanistan's Ministry of Finance and provincial revenue directorates via XenoRAT malware. This could allow the threat actor to conduct espionage, data exfiltration, or further network compromise. The use of localized spear phishing lures and infrastructure within Afghan government IP space increases the likelihood of successful infection. The malware's persistence mechanism and use of bulletproof hosting complicate detection and removal. However, no direct evidence of exploitation beyond infection vectors is provided, and no known exploits or vulnerabilities are indicated.
Mitigation Recommendations
No official patch or remediation is available for this threat as it involves targeted spear phishing and malware deployment rather than a software vulnerability. Organizations should focus on user awareness training to recognize spear phishing attempts, especially those using localized language lures. Monitoring and blocking known indicators of compromise such as the listed IP addresses, domains, and file hashes can help detect and prevent infection. Incident response should include removal of registry persistence mechanisms and network containment. Since this is a targeted campaign, tailored defensive measures aligned with the threat intelligence are recommended. Patch status is not applicable; check vendor advisories or threat intelligence updates for any new mitigation guidance.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"]
- Adversary
- SideCopy
- Pulse Id
- 6a196f2fd88de848b913e4da
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip103.132.98.224 | — | |
ip103.132.98.226 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01 | — | |
hash99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d | — | |
hash0b937b7da4602a8aa5346681b13a3466 | — | |
hash14ce728a416b1f13e8645f3f7b860a37 | — | |
hashc7e18465db47d364bf9b1f56ab0465a649ec6bfb | — | |
hashdcac34657f59ac8e99edcc1d1aacc618a5131aa9 | — | |
hash0019212f25eb04bbb33bb194879c095265db7855d6003bdd777cf0cbb90eb772 | — | |
hash194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14 | — | |
hash5833917bd137804f5a021d2cb37adfe5c4b7b67dbb06d59c3b9c5cf393835e45 | — | |
hash8f2d979ef33b2900351c94c7335275a9342c75189e1a901998e90a539e944a1a | — | |
hash9ae3d785486022af82ea92e51b26e3f55c1bba88a7be2ad9790f4240e8499d14 | — | |
hasha63e90ee57a1f213a8fe76ef1a6cff5ae9ed7ebceda258431533825e648c0c67 | — | |
hashdf9173a28c0b0b878c10a53d35cd7ce6f6ed66d207b6b7c4ff723721f1c027ab | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainabimj.edu.af | — |
Threat ID: 6a19879ce29bf47b50e4b206
Added to database: 5/29/2026, 12:33:32 PM
Last enriched: 5/29/2026, 12:48:28 PM
Last updated: 5/29/2026, 7:35:45 PM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.