HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Pakistani‑Linked SideCopy Campaign Compromises Afghan Finance Ministry via Phishing‑Delivered RAT

SideCopy, a threat actor tied to Pakistan, used Pashto‑language phishing lures to deliver the XenoRAT remote‑access trojan to Afghanistan’s Ministry of Finance and provincial finance offices. The campaign leveraged Afghan government servers to hide C2 traffic, creating a persistent espionage foothold that could expose sensitive fiscal data and affect downstream vendors.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Pakistani‑Linked SideCopy Campaign Compromises Afghan Finance Ministry via Phishing‑Delivered RAT

What Happened – A suspected Pakistan‑backed threat group, SideCopy, sent spear‑phishing emails with ZIP‑packed documents in Pashto to Afghanistan’s Ministry of Finance and provincial finance directorates. Opening the lure installed the open‑source XenoRAT remote‑access trojan, giving the actors persistent access to government workstations.

Why It Matters for TPRM

  • State‑sponsored espionage can expose sensitive fiscal data and policy deliberations.
  • Use of compromised Afghan government infrastructure masks malicious traffic, making detection harder for third‑party service providers.
  • Persistent RAT footholds increase the attack surface for downstream vendors that integrate with government finance systems.

Who Is Affected – Government finance agencies (national Ministry of Finance, provincial revenue and finance directorates) and any third‑party SaaS or cloud services they consume.

Recommended Actions

  • Verify that all finance‑related vendors enforce multi‑factor authentication and email‑gateway phishing defenses.
  • Conduct a forensic review of any systems that communicated with Afghan government IP ranges during the campaign window.
  • Require vendors to provide evidence of network segmentation and monitoring for anomalous outbound connections to Europe‑based C2 servers.

Technical Notes – Attack vector: targeted phishing with malicious ZIP archives; malware: XenoRAT (open‑source RAT) communicating with European C2 hosts; no specific CVE cited. Data types potentially at risk include financial records, budgetary plans, and personnel information. Source: The Record

📰 Original Source
https://therecord.media/afghan-officials-targeted-by-sidecopy

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →