SideCopy Targets Afghan Finance Ministry

The Pakistan-aligned SideCopy group is using spear-phishing and an open-source RAT to target Afghanistan's Ministry of Finance in a new campaign.

Cybersecurity researchers have identified a new spear-phishing campaign attributed to the SideCopy group, a threat actor believed to be aligned with Pakistan. The campaign specifically targets Afghanistan's Ministry of Finance, indicating a clear cyber-espionage objective. The attack begins with a carefully crafted email delivering a ZIP archive. This archive contains a malicious LNK (shortcut) file disguised with a Pashto-language filename to trick the recipient into opening it. Once executed, the LNK file initiates a process to install Xeno RAT, a publicly available open-source remote access trojan, giving the attackers control over the compromised system.

This incident is significant for security professionals as it showcases the current tactics, techniques, and procedures (TTPs) of a known advanced persistent threat (APT) group. SideCopy's reliance on spear-phishing combined with a common file type like a ZIP archive highlights that even sophisticated actors often depend on social engineering as their initial entry point. The use of an open-source tool like Xeno RAT is also noteworthy. This strategy helps attackers reduce development costs, blend in with legitimate network traffic, and make attribution more difficult for investigators. For IT and security teams, this serves as a critical reminder to maintain strong email security filters and provide ongoing user training to recognize and report suspicious attachments, regardless of how convincing they may appear.

This campaign shows how state-aligned groups use simple social engineering and open-source tools for cyber-espionage, providing a valuable case study for security teams on current threat actor TTPs.

Government entities face heightened risk of cyber-espionage from state-aligned threat actors. This type of attack can lead to data theft, intelligence leaks, and disruption of government functions, highlighting the need for robust cybersecurity defenses and employee awareness training.