HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Pakistan‑Linked SideCopy Deploys Xeno RAT via Spear‑Phishing Against Afghanistan Finance Ministry

SideCopy, a Pakistan‑aligned threat group, used a spear‑phishing ZIP with a malicious LNK file to install the Xeno RAT on Afghanistan's Ministry of Finance workstations, creating a foothold for potential data exfiltration and espionage.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Pakistan‑Linked SideCopy Deploys Xeno RAT via Spear‑Phishing Against Afghanistan Finance Ministry

What Happened — Researchers identified a spear‑phishing campaign attributed to the Pakistan‑aligned SideCopy group that targeted the Ministry of Finance of Afghanistan. The attackers delivered a ZIP archive containing a malicious LNK file with a Pashto‑language filename, which, when executed, installed the open‑source Xeno Remote Access Trojan (RAT). Early indicators suggest the RAT was used to gain persistent access to internal workstations and could facilitate data exfiltration or espionage.

Why It Matters for TPRM

  • State‑level finance ministries are high‑value third‑party vendors; compromise can expose sensitive fiscal data and undermine downstream supply‑chain partners.
  • The use of a publicly available RAT lowers the barrier for other threat actors to replicate the technique against similar government or financial entities.
  • Spear‑phishing with LNK files remains a prevalent initial‑access vector, highlighting the need for robust email security and user awareness across all third‑party relationships.

Who Is Affected — Government finance agencies, public‑sector budgeting systems, and any third‑party service providers (e.g., payroll, ERP, cloud hosting) that integrate with the Afghan Ministry of Finance.

Recommended Actions

  • Review any contracts or data flows with Afghan government finance entities and assess exposure to credential or data leakage.
  • Enforce strict email attachment scanning, disable LNK execution from downloaded archives, and implement multi‑factor authentication for privileged accounts.
  • Conduct threat‑intel monitoring for SideCopy activity and verify that all remote‑access tools in use are authorized, patched, and logged.

Technical Notes — Attack vector: spear‑phishing ZIP with malicious LNK (attack_vector_code = PHISHING). Malware: Xeno RAT (open‑source remote access trojan). No specific CVE referenced. Potential data types at risk: financial statements, budgeting spreadsheets, personnel payroll data, and diplomatic communications. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →