Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

Researchers disclosed Operation XENOFISCAL, a spear‑phishing campaign attributed to Pakistan‑aligned SideCopy (Transparent Tribe/APT36) targeting Afghanistan's Ministry of Finance and provincial finance offices. Attackers used Pashto‑named ZIP archives containing malicious LNK files that invoke mshta to fetch an HTA, executing obfuscated JavaScript in memory and deploying Xeno RAT 1.8.7 via a DLL loader; the RAT provides TCP C2, DLL module loading, file operations, keystroke logging, screenshots, webcam/microphone access, SOCKS5 tunneling, and persistence via Registry and scheduled tasks. The report also links related Transparent Tribe activity targeting Indian defense infrastructure using weaponized Linux.desktop files and a Golang implant (DeskRAT).