SideCopy APT Deploys XenoRAT to Target Afghanistan Finance Ministry

**Executive summary:** Seqrite attributes a highly targeted spear-phishing campaign to Pakistan-linked APT SideCopy (Transparent Tribe/APT36) aimed at Afghanistan’s Ministry of Finance and 34 provincial revenue directorates; the attack used a Pashto-named LNK file that leverages mshta.exe to fetch an HTA, a multi-stage .NET loader with in-memory execution and AMSI bypass, and ultimately deployed XenoRAT 1.8.7 communicating with C2 infrastructure (notably 185.235.137.106) — the report includes detailed TTPs and IOCs (file and hash listings, delivery domains, and hosting ASNs).