Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Dark ReadingArchived Jun 04, 2026✓ Full text saved
Despite broadly connected digital infrastructure, standard fare TTPs are enough to cause trouble for Afghanistan's porous cybersecurity.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
THREAT INTELLIGENCE
ENDPOINT SECURITY
CYBER RISK
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Despite broadly connected digital infrastructure, standard fare TTPs are enough to cause trouble for Afghanistan's porous cybersecurity.
Nate Nelson,Contributing Writer
June 4, 2026
4 Min Read
SOURCE: OLEKSII LISKONIH VIA GETTY IMAGES
A Pakistani advanced persistent threat (APT) group has been spying on Afghanistan's government finance apparatus, from the Ministry of Finance on down to provincial government employees.
Forget the Kalashnikovs, pickup trucks, and sausage fest tribal councils. In 2026, even the Taliban manages modern, widespread IT infrastructure.
"Despite common perceptions, Afghanistan maintains a considerably larger digital footprint than many observers expect," researchers from Seqrite wrote in an email to Dark Reading. "The government operates numerous ministry portals, educational institutions, regulatory bodies, email systems, and administrative services that support day-to-day governance — a broad and interconnected digital ecosystem."
As such, like any other government, Afghanistan has cybersecurity threats to fend off. In concert with their recent spike in hostilities, for example, its frenemies across the border in Pakistan have been trying to spy on its government finance department since at least May 2025. Seqrite attributes the recently observed, likely ongoing phishing campaign to the group known as "SideCopy." SideCopy is believed to be an element of the Pakistani government, is often associated with Pakistan's catch-all "Transparent Tribe" (aka APT 36) APT, and has been known to target neighboring countries.
Related:Tropical Blend: Cyber & Politics Ramp Up Across Latin America
Pakistan Campaign Against Afghanistan
The attack chain SideCopy deployed in this latest Afghanistan campaign is not only the same one it's been rolling out for ages, but utterly textbook of a mid-tier threat actor.
The attacks began with spear-phishing emails. Those emails contained zip archives, with malicious LNK files disguised as PDFs. The LNK files used mshta to fetch an HTA payload, which then got decoded in-memory. A couple of loaders followed, and the attackers established persistence via the Windows registry, disguising their task as a Microsoft Edge process.
The malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.
Meanwhile, the decoy document presented to victims was an Afghan Ministry of Finance staff directory, listing names and mobile numbers belonging to various high-ranking employees across the country's 34 provinces.
These otherwise cookie-cutter tactics, techniques, and procedures (TTPs) were helped by a couple of small, thoughtful considerations.
From the name of that LNK file to the decoy document dropped shortly thereafter, the attack chain made specific use of the Pashto language. Though only the second most commonly spoken language in Afghanistan — behind the lingua franca, Dari — Pashto is native to the Pashtun, the country's largest ethnic group from which the Taliban largely derives.
Related:Latin American Cybercriminals Hoover Up Government Data
Even more significantly, the attackers hosted their remote payload on a compromised domain in the IP address space of Afghanistan's Ministry of Communication and Information Technology. By running their malicious traffic through the government's own sovereign infrastructure, on a website situated next to more than 200 legitimate government and education sites, the hackers were able to blend their malicious traffic with proper state business.
"While the operation does not introduce new malware techniques, it demonstrates a mature and deliberate approach to defense evasion, persistence, and operational security," the researchers argue. "In this case, the sophistication lies more in the execution, targeting, and orchestration of proven methods than in any single technical innovation."
Cybersecurity Under the Taliban
Remember the images from the pullout of Afghanistan in 2021? Decades worth of weaponry, vehicles, and military and government infrastructure left behind for free use by the invading Taliban.
Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm
This was also how the Taliban got its current cyber infrastructure. In the two decades following 2001 — when the former Taliban government fell — foreign aid and investments helped Afghanistan develop mobile, fiber optic, and other telecommunications infrastructure. The government developed a variety of IT and cybersecurity services on top, including security and surveillance systems, biometric databases, and administrative networks such as the Finance Ministry's, in which Pakistan has taken a recent interest. When the government turned over half a decade ago, the new (old) kids on the block simply inherited all those systems.
Though it inherited the digital transformation for free, the Taliban has fewer cybersecurity resources available to protect that infrastructure, compared with the average non-US-designated terrorist government. That might help explain why a nation-state wouldn't deploy its most sophisticated TTPs in attacking it.
"Afghanistan's cyber resilience may face challenges due to several factors, including economic isolation, limited access to international cybersecurity partnerships, difficulties in retaining skilled cybersecurity personnel, and constraints on technology modernization," the researchers say. "Such conditions can create opportunities for threat actors to maintain long-term access and conduct espionage operations with a reduced likelihood of detection."
Read more about:
DR Global Middle East & Africa
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Cybersecurity for Resource-Constrained Organizations
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS