ctipilot.ch

Operation XENOFISCAL

campaign · campaign:operation-xenofiscal-sidecopy

SideCopy/APT36 delivering XenoRAT via mshta/HTA against Afghan provincial treasuries.

Coverage timeline
1
first 2026-06-03 → last 2026-06-03
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566.001Phishing: Spearphishing Attachment×1

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

Execution TA0002

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

Persistence TA0003

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

Privilege Escalation TA0004

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

Stealth TA0005

T1218.005System Binary Proxy Execution: Mshta×1

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

Story timeline

  1. 2026-06-03Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain
    research

Where this entity is cited

  • research1

Source distribution

  • seqrite.com1 (50%)
  • thehackernews.com1 (50%)

explore in graph

Entries about Operation XENOFISCAL (1)

2026-06-03 · view entry permalink →

NOTABLE

Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain

Seqrite Labs documented Operation XENOFISCAL, a SideCopy (Transparent Tribe / APT36, Pakistan-attributed) campaign against finance officials across Afghanistan's 34 provincial treasury directorates (Mustoufiats) (Seqrite Labs, 2026-05-29). The chain is the group's long-standing signature — a spear-phishing ZIP carrying a Pashto-language LNK that invokes mshta.exe to pull an obfuscated HTA/JavaScript stage from a compromised education domain, which stages .NET loaders in memory before dropping the publicly available XenoRAT (keylogging, screen capture, remote shell) (The Hacker News, 2026-06-02). Persistence uses a Registry Run key typosquatting Microsoft Edge ("Edgre") plus a Scheduled Task; C2 ran on an EU-hosted bulletproof AS (AS59711) previously tied to the group. ATT&CK: T1566.001, T1218.005 (mshta proxy execution), T1547.001, T1053.005.

Why it matters to us: The victimology is South-Central Asian, but the LNK→mshta.exe→HTA→RAT pattern and the typosquatted-product Run-key persistence are directly transferable hunt content for any public-sector treasury/finance environment: alert on mshta.exe spawning wscript.exe or making outbound HTTP, and on Run-key values that misspell legitimate Microsoft product names.

research03 Jun 05:00Zmulti-sourceOpen finding ↗