SideCopy Targets Afghanistan's Finance Ministry With XenoRAT

Pakistan-linked APT group SideCopy has launched a precision campaign against Afghanistan's financial infrastructure. Seqrite researchers disclosed Operation XENOFISCAL on May 29, revealing attacks targeting the Ministry of Finance and all 34 provincial revenue directorates using a customized XenoRAT implant.

SideCopy operates under the Transparent Tribe (APT36) umbrella, a threat cluster with well-documented ties to Pakistani intelligence services. This campaign demonstrates continued interest in Afghan government targets following the political transition in 2021.

The Attack Chain

The infection begins with spear phishing—a technique we've covered extensively in our phishing examples guide. Victims receive a ZIP archive containing a malicious LNK file with a Pashto-language filename referencing a seminar on "intellectual and psychological warfare." The lure's specificity—framing content around internal ministry terminology—suggests the attackers conducted reconnaissance on their targets' organizational context.

Stage progression follows a five-part chain:

1. The LNK file executes mshta.exe to fetch a remote HTA payload
2. Obfuscated JavaScript triggers the initial loader DLL
3. The loader establishes Registry persistence under a key disguised as "Edgre" (mimicking Microsoft Edge)
4. A secondary loader deploys shellcode using VirtualAlloc with RWX permissions, bypassing AMSI through function patching
5. XenoRAT 1.8.7 executes in memory via CLR reflection

The campaign leverages compromised Afghan education infrastructure (abimj.edu.af) for initial payload delivery before switching to bulletproof European hosting for C2 communications.

XenoRAT Capabilities

XenoRAT is a full-featured remote access trojan with capabilities suited for long-term espionage. The deployed version supports keylogging, screen capture, webcam and microphone surveillance, SOCKS5 network tunneling, and dynamic in-memory DLL loading.

The last capability is particularly concerning—it allows operators to extend the RAT's functionality post-deployment without touching disk, making forensic detection harder.

For organizations tracking nation-state threat actors, XenoRAT represents a common but effective tool in the South Asian threat landscape. Its open-source availability means attribution must rely on infrastructure and tradecraft rather than malware alone.

Infrastructure and Attribution

Seqrite attributes the campaign to SideCopy with medium-to-high confidence based on:

• Consistent use of HZ Hosting Ltd (AS59711), a Bulgaria-registered bulletproof provider previously documented in SideCopy infrastructure
• .NET BinaryFormatter deserialization exploiting WPF XAML gadgets, a technique seen in prior SideCopy operations
• Registry persistence patterns matching established SideCopy TTPs

The C2 server at 185.235.137.106 fits the group's historical preference for Eastern European bulletproof hosting that provides cover while maintaining low-latency access to South Asian targets.

Why Afghanistan's Finance Ministry?

Targeting the Ministry of Finance and provincial revenue directorates isn't random. These entities control tax collection, budget allocation, and financial flows throughout Afghanistan. Intelligence from these targets could reveal:

• Budget allocations to security forces
• Foreign aid distribution channels
• Revenue collection effectiveness
• Financial relationships with international partners

For a regional adversary, this information has both intelligence and potential destabilization value. The campaign's scope—hitting the central ministry and all 34 provincial offices—suggests a comprehensive collection objective rather than opportunistic targeting.

Indicators and Detection

Security teams monitoring South Asian threat activity should watch for:

• Registry persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with unusual value names mimicking legitimate software
• Staging directories at C:\Users\Public\USOShared-* and C:\Users\Public\firefx-*
• Network connections to HZ Hosting infrastructure (AS59711)
• mshta.exe spawning .NET processes

The campaign's use of living-off-the-land binaries (mshta.exe) combined with memory-only execution makes endpoint detection challenging. Organizations in affected regions should prioritize network-based detection of C2 communications.

For background on defending against targeted campaigns, see our social engineering guide covering the phishing techniques APT groups commonly employ.

The Bigger Picture

SideCopy's continued operations against Afghan government targets reflects the ongoing intelligence competition in South Asia. The group has historically targeted Indian defense establishments, but post-2021 Afghanistan represents a target-rich environment with less mature cyber defenses.

Operation XENOFISCAL shows the attackers investing in quality tradecraft—Pashto-language lures, multi-stage loaders, memory-only execution, and bulletproof infrastructure. This isn't a spray-and-pray campaign. It's targeted espionage against a specific government's financial apparatus.

Organizations operating in the region should assume they're targets. The same techniques used against Afghan ministries will appear against NGOs, contractors, and international organizations working in South Asia.