Afghan finance officials targeted by suspected Pakistani cyberespionage campaign

A suspected Pakistan-linked hacking group has targeted Afghanistan's Ministry of Finance and provincial government officials in a new cyberespionage campaign, researchers have found.

Indian cybersecurity firm Seqrite attributed the operation with medium-to-high confidence to SideCopy, a threat actor widelyl linked to Pakistan and known for targeting government, military and diplomatic entities across South Asia.

The attackers used phishing emails containing ZIP archives with a malicious file masquerading as an internal government document. The file's title, written in Pashto, claimed to contain a list of employees who had participated in a seminar on intellectual and psychological warfare.

The malicious files were delivered through infrastructure hosted on Afghan government servers, allowing the attackers to blend their traffic with legitimate state communications and evade network-level detection. It is not known how SideCopy gained access to the compromised Afghan education domain server.

Once opened, the file silently installed XenoRAT, an open-source remote access trojan that allows attackers to maintain long-term access to infected systems. The malware then connected to attacker-controlled servers hosted in Europe, allowing the attackers to spy on infected computers and carry out additional malicious activities.

According to Seqrite, the use of Pashto was likely intentional. The language is widely used across Afghanistan's government institutions and among the provincial finance officials who appeared to be the primary targets of the operation.

Researchers said the lure document demonstrated a level of specificity that suggests the attackers conducted reconnaissance before launching the campaign.

"While the victim reads what appears to be a routine internal government document, the malware has already silently completed its installation in the background," Seqrite researchers wrote.

The operation targeted not only Afghanistan's Ministry of Finance but also provincial revenue and finance directorates, Pashto-speaking government officials and other provincial government employees, according to the report.

SideCopy has been active since at least 2019 and has frequently been linked by researchers to operations resembling those of APT36, also known as Transparent Tribe, a hacking group associated with Pakistan. Seqrite previously observed SideCopy deploying customized versions of XenoRAT in late 2024 as part of a broader overhaul of its malware toolkit.

This is not the first time Afghan officials have been targeted in a phishing campaign. In a separate operation reported by Seqrite in January, unknown hackers targeted Afghan government employees with phishing emails disguised as official correspondence from the Prime Minister's office. Those emails delivered a data-stealing malware strain known as FalseCub. Researchers did not publicly attribute that operation to a specific threat actor.