"The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename," Seqrite Labs researcher Dixit Panchal said in a technical breakdown of the activity.
Seqrite Labs' technical breakdown and Operation XENOFISCAL
Security researchers at Seqrite Labs have assigned the activity the codename Operation XENOFISCAL and linked it to the Pakistan-aligned SideCopy group. According to the report, the campaign specifically targeted Afghanistan's Ministry of Finance, provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees. The use of Pashto in the lure filename is described as a deliberate choice reflecting the attacker's familiarity with Afghan government circles.
Delivery chain: malicious LNK to a remote HTA hosted on a compromised education domain
The initial infection vector is a ZIP archive containing a Windows Shortcut (LNK) file. Seqrite's analysis states the LNK leverages mshta.exe to fetch a remote HTML Application (HTA) from a compromised Afghan education domain. That HTA executes obfuscated JavaScript in memory. The campaign establishes persistence by creating Registry entries that mimic Microsoft Edge and uses a DLL-based loader to drop the main payload alongside a decoy document intended to distract the victim.
Xeno RAT 1.8.7: remote-access capabilities the operators can wield
Seqrite Labs reports the loader drops Xeno RAT version 1.8.7. The researchers describe the implant's capabilities in operational detail. Xeno RAT is designed to:
- connect with a remote server over TCP to handle operator commands;
- load and execute external DLL modules;
- transmit data to the server and perform file operations;
- launch via a scheduled task and retrieve antivirus information;
- support SOCKS5 proxy-based network tunneling;
- log keystrokes, take screenshots, and monitor the clipboard;
- track webcam and microphone activity;
- delete persistence methods and uninstall itself from the host.
SideCopy, Transparent Tribe, and related activity across South Asia
Seqrite Labs characterizes SideCopy as a Pakistan-linked threat group operating under the broader Transparent Tribe umbrella (also referred to as APT36). The description notes the adversary has used multiple malware families to steal sensitive data from compromised hosts and that in April 2025 the same actor was attributed to attacks in India using Xeno RAT, Spark RAT, and CurlBack RAT. The lab frames the Afghan campaign as a continuation of a broader cluster of malicious cyber activity aimed at South Asian entities.
The disclosure arrives alongside reporting on a separate campaign assessed to be the work of Transparent Tribe that targeted Indian military infrastructure. Security researcher R.D. Tarun said that campaign used weaponized Linux .desktop files and WhatsApp-based social engineering, delivering staged shell payloads and a Golang-based ELF implant tracked as DeskRAT. Tarun wrote that the malicious .desktop launcher initiated a heavily obfuscated shell-based infection chain involving staged payload retrieval, inline decoding routines, and deployment of DeskRAT.
What this means for Afghan finance officials, regional security teams, and incident responders
- Afghan finance officials: The Ministry of Finance and provincial revenue directorates are explicit targets; officials will need to assume spear-phishing lures in Pashto and decoy documents could be used to conceal remote-access implants such as Xeno RAT 1.8.7.
- Regional security teams: The campaign's links to SideCopy and the broader Transparent Tribe activity in South Asia indicate attackers are recycling tooling and tactics (Xeno RAT among them) across campaigns — defenders should prioritize detection for mshta.exe-based HTA fetch activity, Registry entries mimicking Microsoft Edge, and scheduled-task persistence.
- Incident responders: The implant's ability to use SOCKS5 tunneling, load DLL modules, and exfiltrate data over TCP emphasizes the need to investigate lateral movement, proxy-like connections from hosts, and artefacts from DLL loaders and decoy documents.
Operation XENOFISCAL, as reported by Seqrite Labs, ties a targeted Pashto-language spear-phishing effort to a capable remote-access toolset and an adversary that has operated across national boundaries in the region. The campaign's use of a compromised Afghan education domain to host the HTA and the deployment of Xeno RAT 1.8.7 raise immediate operational questions: is the hosting infrastructure still live, which accounts have been accessed, and how widely has the DLL loader been used to seed other implants? Those are the concrete follow-ups that defenders and investigators will need to answer next.




