Pakistan‑Linked SideCopy Deploys Xeno RAT via Spear‑Phishing Against Afghanistan Finance Ministry
What Happened — Researchers identified a spear‑phishing campaign attributed to the Pakistan‑aligned SideCopy group that targeted the Ministry of Finance of Afghanistan. The attackers delivered a ZIP archive containing a malicious LNK file with a Pashto‑language filename, which, when executed, installed the open‑source Xeno Remote Access Trojan (RAT). Early indicators suggest the RAT was used to gain persistent access to internal workstations and could facilitate data exfiltration or espionage.
Why It Matters for TPRM —
- State‑level finance ministries are high‑value third‑party vendors; compromise can expose sensitive fiscal data and undermine downstream supply‑chain partners.
- The use of a publicly available RAT lowers the barrier for other threat actors to replicate the technique against similar government or financial entities.
- Spear‑phishing with LNK files remains a prevalent initial‑access vector, highlighting the need for robust email security and user awareness across all third‑party relationships.
Who Is Affected — Government finance agencies, public‑sector budgeting systems, and any third‑party service providers (e.g., payroll, ERP, cloud hosting) that integrate with the Afghan Ministry of Finance.
Recommended Actions —
- Review any contracts or data flows with Afghan government finance entities and assess exposure to credential or data leakage.
- Enforce strict email attachment scanning, disable LNK execution from downloaded archives, and implement multi‑factor authentication for privileged accounts.
- Conduct threat‑intel monitoring for SideCopy activity and verify that all remote‑access tools in use are authorized, patched, and logged.
Technical Notes — Attack vector: spear‑phishing ZIP with malicious LNK (attack_vector_code = PHISHING). Malware: Xeno RAT (open‑source remote access trojan). No specific CVE referenced. Potential data types at risk: financial statements, budgeting spreadsheets, personnel payroll data, and diplomatic communications. Source: The Hacker News