Pakistani‑Linked SideCopy Campaign Compromises Afghan Finance Ministry via Phishing‑Delivered RAT
What Happened – A suspected Pakistan‑backed threat group, SideCopy, sent spear‑phishing emails with ZIP‑packed documents in Pashto to Afghanistan’s Ministry of Finance and provincial finance directorates. Opening the lure installed the open‑source XenoRAT remote‑access trojan, giving the actors persistent access to government workstations.
Why It Matters for TPRM –
- State‑sponsored espionage can expose sensitive fiscal data and policy deliberations.
- Use of compromised Afghan government infrastructure masks malicious traffic, making detection harder for third‑party service providers.
- Persistent RAT footholds increase the attack surface for downstream vendors that integrate with government finance systems.
Who Is Affected – Government finance agencies (national Ministry of Finance, provincial revenue and finance directorates) and any third‑party SaaS or cloud services they consume.
Recommended Actions –
- Verify that all finance‑related vendors enforce multi‑factor authentication and email‑gateway phishing defenses.
- Conduct a forensic review of any systems that communicated with Afghan government IP ranges during the campaign window.
- Require vendors to provide evidence of network segmentation and monitoring for anomalous outbound connections to Europe‑based C2 servers.
Technical Notes – Attack vector: targeted phishing with malicious ZIP archives; malware: XenoRAT (open‑source RAT) communicating with European C2 hosts; no specific CVE cited. Data types potentially at risk include financial records, budgetary plans, and personnel information. Source: The Record