Afghan Ministry of Finance and provincial government officials were targeted in a phishing campaign that installed remote-access malware on victims' computers. Seqrite attributed the activity with medium-to-high confidence to the Pakistan-linked SideCopy group, which used Pashto-language lure documents inside ZIP archives and delivered them through compromised Afghan government server infrastructure; opening the file installed XenoRAT, a remote access trojan, which then contacted attacker-controlled servers in Europe.
Why it matters: This matters because it shows a suspected state-linked espionage operation aimed at government financial and provincial officials, using trusted local-language lures and compromised government infrastructure to improve success. Afghan public-sector defenders should investigate suspicious ZIP attachments, review access to government-hosted domains, and hunt for XenoRAT-related activity.
2026.05.31
100% relevant
This article establishes a distinct campaign: a newly reported suspected SideCopy operation targeting Afghan finance-sector government entities via Pashto-language phishing and XenoRAT.
← Back to all stories