SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities
Campaign
Summary
Hide ▲
Show ▼
The SideCopy-linked Operation XENOFISCAL spear-phishing campaign is targeting Afghanistan's Ministry of Finance and related provincial finance offices with Xeno RAT, raising the risk of host compromise across government systems. Delivery uses a ZIP archive with a malicious LNK file and a Pashto-language lure, then chains mshta.exe into an HTA fetch and in-memory JavaScript execution. The operation extends to provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level employees, showing a focused government-targeting effort.
Related Happenings
Transparent Tribe AI-assisted implant campaign targeting India
Campaign
H score32
First: 06.03.2026 17:11
Last: 06.03.2026 17:11
Sources 1
About this happening:
Transparent Tribe (APT36) is using AI-powered coding tools to mass-produce disposable implants in an active campaign targeting the Indian government, its embassies...
Transparent Tribe AI-assisted implant campaign targeting India
CampaignAbout this happening: Transparent Tribe (APT36) is using AI-powered coding tools to mass-produce disposable implants in an active campaign targeting the Indian government, its embassies...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
Campaign
H score38
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
A phishing-led APT36 / SideCopy campaign is targeting Indian defense and government-aligned organizations, using cross-platform RATs to steal sensitive data and ke...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
CampaignAbout this happening: A phishing-led APT36 / SideCopy campaign is targeting Indian defense and government-aligned organizations, using cross-platform RATs to steal sensitive data and ke...
Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign
Campaign
H score31
First: 09.02.2026 12:58
Last: 09.02.2026 12:58
Sources 1
About this happening:
The Bloody Wolf / Stan Ghouls operation is actively running a spear-phishing campaign against Uzbekistan and Russia, and the activity matters because it is delivering...
Bloody Wolf / Stan Ghouls NetSupport RAT spear-phishing campaign
CampaignAbout this happening: The Bloody Wolf / Stan Ghouls operation is actively running a spear-phishing campaign against Uzbekistan and Russia, and the activity matters because it is delivering...
Phantom Stealer phishing delivery and exfiltration activity
Malware Activity
H score30
First: 15.12.2025 18:00
Last: 15.12.2025 18:00
Sources 1
About this happening:
Phantom Stealer is being delivered through a phishing campaign that uses a ZIP-to-ISO attachment chain to bypass mail defenses, exposing Russian-speaking organizatio...
Phantom Stealer phishing delivery and exfiltration activity
Malware ActivityAbout this happening: Phantom Stealer is being delivered through a phishing campaign that uses a ZIP-to-ISO attachment chain to bypass mail defenses, exposing Russian-speaking organizatio...
Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities
Campaign
H score33
First: 15.12.2025 11:24
Last: 15.12.2025 11:24
Sources 1
About this happening:
The Operation MoneyMount-ISO phishing campaign is actively targeting organizations in Russia, and it matters because the emails deliver Phantom Stealer through malic...
Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities
CampaignAbout this happening: The Operation MoneyMount-ISO phishing campaign is actively targeting organizations in Russia, and it matters because the emails deliver Phantom Stealer through malic...
Timeline
-
02.06.2026 12:05 2 articles · 1mo ago
SideCopy Operation XENOFISCAL targets Afghanistan's Ministry of Finance with Xeno RAT
Initial DisclosureSideCopy's Operation XENOFISCAL targets Afghanistan's Ministry of Finance, related provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees with Xeno RAT. The lure uses a ZIP archive containing a malicious LNK file with a Pashto-language filename, and execution chains mshta.exe to fetch an HTA from a compromised Afghan education domain, run obfuscated JavaScript in memory, and deploy Xeno RAT 1.8.7 with Registry-based persistence and a decoy document.
Show sources
- Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT — thehackernews.com — 02.06.2026 12:05
- Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT — thehackernews.com — 02.06.2026 12:05