Back

SideCopy Targets Afghanistan Finance Ministry with XenoRAT Campaign

Severity: High (Score: 72.5)

Sources: Gbhackers, www.seqrite.com

Published: 2026-05-30 · Updated: 2026-05-30

Keywords: sidecopy, against, afghanistan, finance, ministry, deploys, persistent

Severity indicators: rat, finance

Summary

A Pakistan-linked threat actor, SideCopy, has initiated a spear-phishing campaign against Afghanistan's Ministry of Finance, targeting all 34 provincial revenue directorates. The campaign utilizes a ZIP archive containing a malicious LNK file disguised with a Pashto-language filename. Upon execution, the malware deploys a customized XenoRAT 1.8.7 implant that connects to a command-and-control server. The attack is characterized by a sophisticated infection chain designed to evade detection and minimize disk artifacts. The implant features capabilities such as keylogging, screen capture, and webcam surveillance. This operation aligns with SideCopy's shift towards customized malware after previous AsyncRAT campaigns. The threat actor's operational familiarity with the target environment indicates extensive prior intelligence gathering. The C2 server relies on a bulletproof provider in Frankfurt, linked to SideCopy's infrastructure. Key Points: • SideCopy's campaign targets Afghanistan's Ministry of Finance and all provincial revenue directorates. • The attack uses a malicious LNK file within a ZIP archive, leveraging a Pashto filename for deception. • XenoRAT 1.8.7 provides extensive surveillance capabilities, including keylogging and webcam access.

Detailed Analysis

**Impact** The Afghanistan Ministry of Finance and its 34 provincial revenue directorates are targeted, risking exposure of sensitive personnel data including names, positions, and direct mobile numbers in Dari and Pashto. The campaign potentially compromises government financial operations across all provinces, threatening confidentiality and operational integrity. The use of a persistent RAT enables ongoing surveillance and data exfiltration, impacting national financial sector security. **Technical Details** The attack begins with a spear-phishing email delivering a ZIP archive containing a malicious LNK file named in Pashto, which executes a multi-stage infection chain designed to evade detection and minimize disk artifacts. The final payload is a customized XenoRAT 1.8.7 implant that communicates with a Frankfurt-based bulletproof C2 server (185.235.137.106) over AES-encrypted TCP traffic, using the mutex “clouda” to enforce single-instance execution. Post-exploitation capabilities include keylogging, screen capture, webcam access, and SOCKS5 tunneling. The infrastructure is linked to SideCopy under the Transparent Tribe (APT36) umbrella. **Recommended Response** Block and monitor network traffic to and from IP 185.235.137.106 and associated domains, especially those resolving to AS58469. Deploy detections for XenoRAT 1.8.7 indicators, including mutex “clouda” and LNK file execution patterns in Pashto-named archives. Harden email gateways against spear-phishing by filtering ZIP attachments and scanning for malicious LNK files. Monitor endpoints for post-exploitation behaviors such as keylogging and unauthorized webcam access. No CVE or patch information is provided; focus on detection and containment.

Source articles (3)

  • SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry — Gbhackers · 2026-05-30
    Pakistan-linked threat actor SideCopy has launched a highly targeted spear-phishing campaign against Afghanistan’s Ministry of Finance (MoF). The operation surgically targets all 34 provincial revenue…
  • SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry — Gbhackers · 2026-05-30
    Pakistan-linked threat actor SideCopy has launched a highly targeted spear-phishing campaign against Afghanistan’s Ministry of Finance (MoF). The operation surgically targets all 34 provincial revenue…
  • Seqrite confirmed that — www.seqrite.com · 2026-05-30

Timeline

  • 2026-05-30 — Spear-phishing campaign launched: SideCopy targets Afghanistan's Ministry of Finance with a detailed spear-phishing campaign using XenoRAT.

Related entities

  • Apt36 (Apt Group)
  • Transparent Tribe (Apt Group)
  • Phishing (Attack Type)
  • Afghanistan Ministry Of Finance (Company)
  • Afghanistan (Country)
  • Pakistan (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Government (Industry)
  • 185.235.137.106 (Ipv4)
  • AsyncRAT (Malware)
  • XenoRAT (Malware)
  • The Gentlemen (Ransomware Group)
  • T1056 - Input Capture (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Palo Alto Networks Pan-os (Platform)
  • Prisma Access (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed