Cybersecurity researchers have revealed details of a spear-phishing campaign believed to be conducted by the Pakistan-aligned SideCopy group that targeted the Afghan Ministry of Finance using an open-source remote access Trojan called Xeno RAT.
“The campaign begins with a spear phishing delivery, a ZIP archive containing a malicious LNK file with a carefully crafted Pashto filename,” Seqrite Labs researcher Dixit Panchal said in a technical breakdown of the activity.
As part of the campaign, state revenue and finance departments, Pashto-speaking government employees, and state-level government employees are also being targeted. The code name for this campaign is “Operation XENOFISCAL.”
The choice of Pashto for the decoy file was a deliberate choice on the part of the attackers, as it is the language primarily spoken by Afghan government officials. This aspect reflects the attacker’s familiarity with the target environment.
SideCopy is the name given to a Pakistan-linked threat group operating under the broader Transparent Tribe (also known as APT36) umbrella that uses a variety of malware families to steal sensitive data from compromised hosts. In April 2025, adversaries were observed using the Xeno RAT, Spark RAT, and CurlBack RAT to conduct a series of attacks targeting various sectors in India.
From that perspective, the latest campaign is a continuation of a broader range of malicious cyber operations targeting organizations in South Asia.
When executed, the Windows Shortcut (LNK) file leverages ‘mshta.exe’ to retrieve a remote HTML application (HTA) from a compromised Afghan education domain and executes obfuscated JavaScript in memory. The malware also establishes registry-based persistence by imitating Microsoft Edge and uses a DLL-based loader to drop Xeno RAT 1.8.7 and a decoy document as a distraction mechanism.
Xeno RAT is designed to connect to remote servers via TCP and process commands sent by operators. The malware has the ability to load and execute external DLL modules, send data to servers, launch the malware through scheduled tasks, obtain antivirus information, support SOCKS5 proxy-based network tunneling, perform file operations, log keystrokes, take screenshots, monitor the clipboard, track webcams/microphones, remove persistence methods, and uninstall itself from the host.
The disclosure comes amid details of a targeted phishing operation that leveraged weaponized Linux .desktop files to target India’s military infrastructure using contract-related decoys related to India’s armored vehicle procurement operations. This campaign is believed to be the work of the Invisible Tribe.
“This campaign appears to utilize WhatsApp-based social engineering and staged shell payload delivery to target individuals associated with India’s military and defense infrastructure ecosystem,” security researcher RD Tarun said in a report published last month.
“Once executed, the malicious .desktop launcher initiates a highly obfuscated shell-based infection chain that includes staged payload retrieval, inline decoding routines, and deployment of a Golang-based ELF implant, tracked in this report as DeskRAT.”
Source link
