SideCopy Targets Afghanistan Finance Ministry with XenoRAT Campaign

SideCopy Targets Afghanistan Finance Ministry with XenoRAT Campaign

First seen 30 May 2026, 11:48 UTC GbhackersCybersecuritynewsSocprimewww.seqrite.com 86% similarity 72.5

Article Content

Browse articles
ThreatCluster

A Pakistan-linked threat actor, SideCopy, has initiated a spear-phishing campaign against Afghanistan's Ministry of Finance, targeting all 34 provincial revenue directorates. The campaign utilizes a ZIP archive containing a malicious LNK file disguised with a Pashto-language filename. Upon execution, the malware deploys a customized XenoRAT 1.8.7 implant that connects to a command-and-control server. The attack is characterized by a sophisticated infection chain designed to evade detection and minimize disk artifacts. The implant features capabilities such as keylogging, screen capture, and webcam surveillance. This operation aligns with SideCopy's shift towards customized malware after previous AsyncRAT campaigns. The threat actor's operational familiarity with the target environment indicates extensive prior intelligence gathering. The C2 server relies on a bulletproof provider in Frankfurt, linked to SideCopy's infrastructure.

Key Points: • SideCopy's campaign targets Afghanistan's Ministry of Finance and all provincial revenue directorates. • The attack uses a malicious LNK file within a ZIP archive, leveraging a Pashto filename for deception. • XenoRAT 1.8.7 provides extensive surveillance capabilities, including keylogging and webcam access.

ThreatCluster AI

Timeline

2026-05-30
Spear-phishing campaign launched
SideCopy targets Afghanistan's Ministry of Finance with a detailed spear-phishing campaign using XenoRAT.
Gbhackers

Community

Browse all →