{"id":262177,"date":"2026-06-02T05:05:00","date_gmt":"2026-06-02T09:05:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/02\/pakistan-linked-sidecopy-targets-afghanistan-finance-ministry-with-xeno-rat\/"},"modified":"2026-06-02T13:05:22","modified_gmt":"2026-06-02T17:05:22","slug":"pakistan-linked-sidecopy-targets-afghanistan-finance-ministry-with-xeno-rat","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/02\/pakistan-linked-sidecopy-targets-afghanistan-finance-ministry-with-xeno-rat\/","title":{"rendered":"Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT"},"content":{"rendered":"

Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/pakistan-linked-sidecopy-targets.html<\/a><\/p>\n

Publish Date: 2026-06-02 05:05:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jun 02, 2026<\/span><\/span>Cyber Espionage \/ Threat Intelligence<\/span><\/p>\n

Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan’s Ministry of Finance with an open-source remote access trojan called Xeno RAT.<\/p>\n

“The campaign opens with a spear phishing delivery – a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,” Seqrite Labs researcher Dixit Panchal said in a technical breakdown of the activity.<\/p>\n

Also targeted as part of the campaign are provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees. The campaign has been codenamed Operation XENOFISCAL.<\/p>\n

The choice of Pashto for the lure file is a deliberate choice on the part of the attacker, as it’s the main language spoken in the Afghan government circles. This aspect reflects the attacker’s familiarity with the target environment.<\/p>\n

SideCopy is the name given to a Pakistan-linked threat group operating under the broader Transparent Tribe (aka APT36) umbrella, using a wide range of malware families to steal sensitive data from compromised hosts. In April 2025, the adversary was attributed to a set of attacks targeting various sectors in India with Xeno RAT, Spark RAT, and CurlBack RAT.<\/p>\n

Viewed in that light, the latest campaign is a continuation of a broader cluster of malicious cyber activity aimed at South Asian entities.<\/p>\n

\"\"<\/p>\n

Once executed, the Windows Shortcut (LNK) file leverages “mshta.exe” to fetch a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript in memory. The malware also establishes Registry-based persistence by mimicking Microsoft Edge, while dropping Xeno RAT 1.8.7 and a decoy document as a distraction mechanism by means of a DLL-based loader.<\/p>\n

Xeno RAT is designed to connect with a remote server over TCP to handle…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT https:\/\/thehackernews.com\/2026\/06\/pakistan-linked-sidecopy-targets.html Publish Date: 2026-06-02 05:05:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":262178,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiilTEadDjLrLdKByKVP6n_zfNSbhTTutHu-9BbbIDTBotobmqmIOI7fDdGGHZQQB7wTo00L66NAKZBA3iRBLQpSf_NgH9hKe9Xd-WUoijt7y-CUbdZore_qSZpTmuBhExaAxeXn39EPCVPYugMnJ85c15e161ttOMRmbSAv7NcbUlYrqDV4NnbzHZvw0A5\/s1600\/paki.gif","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25],"class_list":["post-262177","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262177"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=262177"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262177\/revisions"}],"predecessor-version":[{"id":262179,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262177\/revisions\/262179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/262178"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=262177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=262177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=262177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}