SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry

SideCopy (Transparent Tribe/APT36) conducted a highly targeted spear-phishing campaign against Afghanistan’s Ministry of Finance and all 34 provincial revenue directorates, using a Pashto-labeled LNK in a ZIP to trigger a multi-stage infection chain (mshta -> HTA -> .NET loaders) that executes XenoRAT 1.8.7 in-memory with AMSI bypass and registry persistence; the report includes C2 details (185.235.137.106 via a Frankfurt bulletproof provider), ASN routing, and a table of file hashes as IoCs.