Ethical Hacking News
A Pakistan-linked group has launched a spear phishing campaign targeting Afghanistan's Ministry of Finance with an advanced Xeno RAT malware, highlighting the evolving threat landscape in South Asia.
The SideCopy group, a Pakistani-based threat actor, has launched a spear phishing campaign targeting Afghanistan's Ministry of Finance and other provincial institutions. The attack uses an open-source remote access trojan (RAT) called Xeno RAT, which is being employed in conjunction with a custom-built spear phishing delivery mechanism. The use of Pashto-language filename reflects the attackers' familiarity with their target environment and underscores their intent to avoid detection through linguistic red flags. Xeno RAT has unique features such as TCP-based command execution, network tunneling, and file operations, making it a sophisticated malware tool. The attack demonstrates a level of sophistication that warrants careful analysis from cybersecurity professionals and policymakers alike.
The threat landscape of cyber attacks has seen an alarming rise in recent years, with adversaries evolving their tactics to infiltrate even the most secure networks. A latest development that highlights the evolving nature of these threats comes from a spear phishing campaign undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan's Ministry of Finance and other provincial institutions. The attack leverages an open-source remote access trojan (RAT) called Xeno RAT, which has been employed in conjunction with a custom-built spear phishing delivery mechanism.
The SideCopy group is recognized as a Pakistani-based threat actor that operates under the Transparent Tribe (also known as APT36) umbrella. This entity utilizes various malware families to pilfer sensitive data from compromised hosts and has been linked to several notable cyber attacks in India and other regions. According to experts, this most recent campaign exemplifies a continuation of their overarching strategy to compromise South Asian entities.
The spear phishing mechanism begins with the delivery of a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename. The use of Pashto, which is predominantly used within Afghan government circles, reflects the attackers' familiarity with their target environment and underscores their intent to avoid detection through linguistic red flags.
Once executed, the Windows Shortcut (LNK) file leverages "mshta.exe" to fetch a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript in memory. The malware also establishes Registry-based persistence by mimicking Microsoft Edge, while dropping Xeno RAT 1.8.7 and a decoy document as part of a distraction mechanism using DLL-based loading.
Xeno RAT is a sophisticated RAT that has been used by various adversaries globally. Its unique features include its ability to connect with a remote server over TCP for command execution, load and execute external DLL modules, transmit data to the server, launch malware via scheduled tasks, retrieve antivirus information, support SOCKS5 proxy-based network tunneling, perform file operations, log keystrokes, take screenshots, monitor the clipboard, track webcam/microphone, delete persistence methods, and uninstall itself from the host.
The sophistication of this attack is underscored by its reliance on a combination of social engineering tactics, tailored to exploit linguistic and contextual vulnerabilities within Afghan government networks. By carefully selecting the Pashto-language filename, the attackers aimed to create an environment where the malicious file would blend seamlessly into local security protocols.
Experts have long cautioned about the dangers posed by sophisticated lateral movement techniques in cyber attacks. The use of Xeno RAT here signifies a level of sophistication that warrants careful analysis from cybersecurity professionals and policymakers alike. As adversaries continue to evolve their tactics, it is essential for defenders to adopt proactive strategies aimed at countering these threats before they gain traction.
This latest development in the cyber threat landscape serves as a poignant reminder of the enduring importance of robust cybersecurity measures. By understanding the evolution of adversary tactics, we can better prepare our defenses against such sophisticated attacks and safeguard critical infrastructure worldwide.
Related Information:
https://www.ethicalhackingnews.com/articles/Pakistan-Linked-SideCopy-Group-Targets-Afghanistans-Finance-Ministry-with-Sophisticated-Xeno-RAT-Spear-Phishing-Campaign-ehn.shtml
https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html
Published: Tue Jun 2 05:45:26 2026 by llama3.2 3B Q4_K_M
