Find notable cyber news and cases, enriched with sources, timelines, and signals.

SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities

Campaign
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

The SideCopy-linked Operation XENOFISCAL spear-phishing campaign is targeting Afghanistan's Ministry of Finance and related provincial finance offices with Xeno RAT, raising the risk of host compromise across government systems. Delivery uses a ZIP archive with a malicious LNK file and a Pashto-language lure, then chains mshta.exe into an HTA fetch and in-memory JavaScript execution. The operation extends to provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level employees, showing a focused government-targeting effort.

Related Happenings

Transparent Tribe AI-assisted implant campaign targeting India

Campaign
H score32 First: 06.03.2026 17:11 Last: 06.03.2026 17:11 Sources 1

About this happening: Transparent Tribe (APT36) is using AI-powered coding tools to mass-produce disposable implants in an active campaign targeting the Indian government, its embassies...

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
H score38 First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A phishing-led APT36 / SideCopy campaign is targeting Indian defense and government-aligned organizations, using cross-platform RATs to steal sensitive data and ke...

Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign

Campaign
H score31 First: 09.02.2026 12:58 Last: 09.02.2026 12:58 Sources 1

About this happening: The Bloody Wolf / Stan Ghouls operation is actively running a spear-phishing campaign against Uzbekistan and Russia, and the activity matters because it is delivering...

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
H score30 First: 15.12.2025 18:00 Last: 15.12.2025 18:00 Sources 1

About this happening: Phantom Stealer is being delivered through a phishing campaign that uses a ZIP-to-ISO attachment chain to bypass mail defenses, exposing Russian-speaking organizatio...

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
H score33 First: 15.12.2025 11:24 Last: 15.12.2025 11:24 Sources 1

About this happening: The Operation MoneyMount-ISO phishing campaign is actively targeting organizations in Russia, and it matters because the emails deliver Phantom Stealer through malic...

Timeline

  1. 02.06.2026 12:05 2 articles · 1mo ago

    SideCopy Operation XENOFISCAL targets Afghanistan's Ministry of Finance with Xeno RAT

    Initial Disclosure

    SideCopy's Operation XENOFISCAL targets Afghanistan's Ministry of Finance, related provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees with Xeno RAT. The lure uses a ZIP archive containing a malicious LNK file with a Pashto-language filename, and execution chains mshta.exe to fetch an HTA from a compromised Afghan education domain, run obfuscated JavaScript in memory, and deploy Xeno RAT 1.8.7 with Registry-based persistence and a decoy document.

    Show sources