Operation XenoFiscal: SideCopy’s Precision Strike Against Afghanistan’s Financial Infrastructure
The Pakistan-linked threat actor known as SideCopy—operating under the broader strategic umbrella of Advanced Persistent Threats (APT) similar to Transparent Tribe (APT36)—has initiated a highly surgical spear-phishing campaign. The operation specifically targets the Afghanistan Ministry of Finance (MoF), with a focus on compromising all 34 provincial revenue directorates.
According to technical intelligence released by Seqrite, the campaign is characterized by a sophisticated, multi-stage infection chain designed to deploy a customized XenoRAT 1.8.7 implant. This malware communicates with resilient, bulletproof hosting infrastructure located in Europe to maintain command and control (C2).
The initial vector utilizes social engineering tailored to the local context. The attack begins with a ZIP archive containing a malicious LNK file. To increase the likelihood of execution, the attackers utilized a Pashto-language filename: “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar.” By leveraging Pashto—the dominant administrative language in Afghanistan—the actors demonstrate significant pre-operational reconnaissance and cultural familiarity with the target’s social hierarchy.
Technical Deep Dive: The XenoRAT Deployment Chain
Upon execution, the malware immediately deploys a high-fidelity decoy document. This document contains a comprehensive staff directory for all 34 provinces, including names, titles, and mobile numbers of Finance Directors and Revenue Chiefs in both Dari and Pashto. This level of granularity indicates that the threat actor spent considerable time performing OSINT (Open Source Intelligence) prior to launch.
The technical execution of the malware is designed to evade traditional EDR (Endpoint Detection and Response) solutions through several layers of obfuscation and “Living-off-the-Land” (LotL) techniques:
- Stage 1 (Execution & Fetching): The LNK file hijacks
mshta.exe—a legitimate Windows utility—to act as a LOLBIN. It fetches a remote HTA payload from a compromised educational domain (abimj[.]edu[.]af), effectively masking malicious traffic as legitimate academic traffic. - Stage 2 (Obfuscation): The retrieved HTA delivers a heavily obfuscated JScript payload. This payload uses hex-encoded string arrays and a custom Base64 decoding routine to bypass static signature analysis and load a Loader DLL.
- Stage 3 (Persistence): A .NET DLL is introduced, which drops a decoy PDF to distract the user. Simultaneously, it establishes registry-based persistence by creating a typosquatted value named
“Edgre”to blend in with Microsoft Edge processes. - Stage 4 (Memory Injection): A second .NET shellcode loader pulls a disguised payload (
ayui.vmxx). The malware then utilizesVirtualAlloc()andCreateThread()to reconstruct the payload entirely within the system’s RAM, minimizing the footprint on the physical disk. - Stage 5 (AMSI Bypass): To neutralize defensive scanning, the malware actively patches
AmsiScanBuffer()to disable the Antimalware Scan Interface (AMSI), followed by usingAssembly.Loadfor fully reflective, fileless execution.
The final payload, XenoRAT 1.8.7, establishes a connection to its C2 server via TCP. The communication is hardened using AES encryption and RTL-compressed traffic to evade network-level inspection. To prevent multiple infections on a single host, the actor uses the hardcoded mutex “clouda.” Once active, the RAT provides a full suite of espionage capabilities, including keylogging, real-time screen capture, webcam access, and SOCKS5 proxy tunneling for lateral movement.
Analysts note that this shift to XenoRAT represents an evolution in SideCopy’s toolkit, moving from AsyncRAT to more customized, open-source-based implants. Furthermore, the attackers have demonstrated tactical cleverness by staging malicious traffic alongside legitimate Afghan government assets (routing through AS58469). The primary C2 IP (185.235.137.106) is hosted via a Frankfurt-based bulletproof provider known to host SideCopy infrastructure.
Indicators of Compromise (IoCs)
| Artifact Type | SHA256 Hash |
|---|---|
| ZIP Archive | 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14 |
| LNK File | 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01 |
| Decoy PDF | DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB |
| ugayt.hta | A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67 |
| noway.bat | 5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45 |
| zuidrt.hta | 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D |
| WayBroad.dll | 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A |
| Aotestpass.dll | 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772 |
| XenoRAT | 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14 |