Gbhackers
SideCopy Targets Afghanistan Finance Ministry with XenoRAT Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A Pakistan-linked threat actor, SideCopy, has initiated a spear-phishing campaign against Afghanistan's Ministry of Finance, targeting all 34 provincial revenue directorates. The campaign utilizes a ZIP archive containing a malicious LNK file disguised with a Pashto-language filename. Upon execution, the malware deploys a customized XenoRAT 1.8.7 implant that connects to a command-and-control server. The attack is characterized by a sophisticated infection chain designed to evade detection and minimize disk artifacts. The implant features capabilities such as keylogging, screen capture, and webcam surveillance. This operation aligns with SideCopy's shift towards customized malware after previous AsyncRAT campaigns. The threat actor's operational familiarity with the target environment indicates extensive prior intelligence gathering. The C2 server relies on a bulletproof provider in Frankfurt, linked to SideCopy's infrastructure.
Key Points: • SideCopy's campaign targets Afghanistan's Ministry of Finance and all provincial revenue directorates. • The attack uses a malicious LNK file within a ZIP archive, leveraging a Pashto filename for deception. • XenoRAT 1.8.7 provides extensive surveillance capabilities, including keylogging and webcam access.