SideCopy APT: Xeno RAT Campaign Targeting Finance Sector — Detection and Hardening Guide | Security Arsenal

The Afghanistan Ministry of Finance has been identified as the target of a sophisticated spear-phishing campaign orchestrated by the Pakistan-aligned threat actor known as SideCopy (also referenced as APT-36). This engagement highlights the continued evolution of nation-state tradecraft, moving from standard commodity malware to the deployment of Xeno RAT, a relatively new, feature-rich Remote Access Trojan (RAT) written in .NET.

The initial vector is a ZIP archive containing a malicious LNK (Shortcut) file masquerading as a legitimate document, utilizing Pashto-language filenames to lower victim suspicion. For defenders, this represents a high-risk intrusion scenario. Once the LNK is executed, the payload establishes a foothold, granting attackers full control over the endpoint—including keylogging, screen capture, and file exfiltration capabilities.

Technical Analysis

Threat Actor: SideCopy (APT-36) Targeted Sector: Government / Finance Payload: Xeno RAT (Open Source) Delivery Mechanism: Spear-phishing (ZIP Archive) -> Malicious LNK File

Attack Chain Breakdown:

Initial Access: The victim receives a spear-phishing email. The attachment is a ZIP file containing a .lnk file. The filename is socially engineered to appear relevant to the recipient (e.g., using Pashto script).
Execution: Upon double-clicking the LNK file, Windows does not launch a document. Instead, it executes a command line argument embedded in the shortcut. In SideCopy operations, this typically involves invoking cmd.exe or powershell.exe to fetch and execute the next stage.
Payload Deployment: The command retrieves the Xeno RAT payload (often a DLL or executable) from a remote server. Xeno RAT is notable for its evasion techniques, including code injection and anti-analysis.
C2 & Persistence: The RAT connects to the attacker's Command and Control (C2) server. Persistence is established via Registry Run keys or Scheduled Tasks to ensure survival after reboot.

Exploitation Status: Confirmed active exploitation in the wild against government targets.

Detection & Response

This is a technical threat requiring immediate detection engineering. Below are Sigma rules, KQL queries, and VQL artifacts designed to identify the specific TTPs associated with this SideCopy campaign.

Sigma Rules

YAML

---
title: Suspicious LNK File with PowerShell Encoded Command
id: 8f4e3d12-1a9b-4c5f-9e8d-2a3b4c5d6e7f
status: experimental
description: Detects execution of PowerShell with encoded commands often triggered by malicious LNK files used by SideCopy for initial access.
references:
 - https://attack.mitre.org/techniques/T1566/001/
 - https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html
author: Security Arsenal
date: 2026/06/15
tags:
 - attack.initial_access
 - attack.t1566.001
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection_parent:
 ParentImage|endswith: '\explorer.exe'
 selection_img:
 Image|endswith:
   - '\powershell.exe'
   - '\pwsh.exe'
 selection_cli:
 CommandLine|contains:
   - '-enc '
   - '-encodedcommand '
   - 'DownloadString'
   - 'IEX'
 condition: all of selection_*
falsepositives:
 - Legitimate administrative scripts (rare from Explorer)
level: high
---
title: Xeno RAT Persistence via Registry Run Key
id: 9a5e4f23-2b0c-5d6g-0f9e-3b4c5d6e7f8a
status: experimental
description: Detects potential Xeno RAT persistence mechanisms. Xeno often creates registry entries in Run keys with names mimicking Windows Updaters.
references:
 - https://attack.mitre.org/techniques/T1547/001/
author: Security Arsenal
date: 2026/06/15
tags:
 - attack.persistence
 - attack.t1547.001
logsource:
 category: registry_set
 product: windows
detection:
 selection:
 TargetObject|contains:
   - '\Software\Microsoft\Windows\CurrentVersion\Run'
   - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
   - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run'
 Image|endswith:
   - '\reg.exe'
   - '\powershell.exe'
   - '\cmd.exe'
 condition: selection
falsepositives:
 - Legitimate software installations
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for LNK files downloaded from the internet or extracted from archives
// followed immediately by PowerShell execution.
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "rundll32.exe")
| where ProcessCommandLine has any ("-enc", "-w hidden", "DownloadString", "IEX");
let FileEvents = DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".lnk"
| where InitiatingProcessFileName in~ ("winrar.exe", "7zFM.exe", "explorer.exe", "outlook.exe");
join kind=inner (ProcessEvents) on DeviceId, Timestamp
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for suspicious LNK files in user directories
-- and analyze their command line arguments for PowerShell execution.
SELECT 
  FullPath,
  Size,
  ModTime,
  Mtime AS Modified,
  Data.ParseBinary(accessor="ntfs", filename=FullPath)
    AS LinkData
FROM glob(globs="C:\Users\*\*.lnk")
WHERE 
  -- Parse the LNK structure to extract the command line argument
  LinkData.LinkTargetInfo.CommandLineArguments =~ 
     '(?i)(powershell|cmd|mshta)\s+.*(-enc|-encodedcommand|iex|downloadstring)'
   OR FullPath =~ "C:\Users\.*\Downloads\.*\.lnk"

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Xeno RAT / SideCopy LNK Remediation Script
.DESCRIPTION
    Scans user profiles for suspicious LNK files, checks for common Xeno RAT
    persistence registry keys, and disables PowerShell v2 if unused.
#>

Write-Host "[*] Starting SideCopy / Xeno RAT Remediation Check..." -ForegroundColor Cyan

# 1. Scan User Profiles for Suspicious LNKs in Downloads and Desktop
$Users = Get-ChildItem "C:\Users" -Directory
$suspiciousFiles = @()

foreach ($User in $Users) {
    $Paths = @("$($User.FullName)\Downloads", "$($User.FullName)\Desktop", "$($User.FullName)\Documents")
    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Write-Host "[*] Scanning $Path for .lnk files..." -ForegroundColor Gray
            Get-ChildItem -Path $Path -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
                $shell = New-Object -ComObject WScript.Shell
                $shortcut = $shell.CreateShortcut($_.FullName)
                $target = $shortcut.TargetPath
                $args = $shortcut.Arguments
                
                # Check if LNK triggers powershell/cmd with encoded args
                if ($target -match "(powershell|cmd|mshta)" -and $args -match "(-enc|-encodedcommand|iex|downloadstring)") {
                    Write-Host "[!] Suspicious LNK found: $($_.FullName)" -ForegroundColor Red
                    Write-Host "    Target: $target" -ForegroundColor Red
                    Write-Host "    Arguments: $args" -ForegroundColor Red
                    $suspiciousFiles += $_.FullName
                }
            }
        }
    }
}

# 2. Check Registry for Suspicious Run Keys (Common with Xeno)
$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

Write-Host "[*] Scanning Registry Run keys for unsigned binaries..." -ForegroundColor Cyan
foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-Item -Path $Key | Select-Object -ExpandProperty Property | ForEach-Object {
            $Value = (Get-ItemProperty -Path $Key -Name $_).$_
            $Path = $Value -split ' ')[0]
            
            if ($Path -match ".exe" -and -not (Test-Path $Path)) {
                Write-Host "[!] Broken Persistence Link in $Key" -ForegroundColor Yellow
                Write-Host "    Name: $_ | Value: $Value" -ForegroundColor Yellow
            }
        }
    }
}

if ($suspiciousFiles.Count -eq 0) {
    Write-Host "[+] No immediate SideCopy LNK indicators found." -ForegroundColor Green
} else {
    Write-Host "[!] Quarantine recommended for $($suspiciousFiles.Count) files." -ForegroundColor Red
}

Remediation

To neutralize the threat posed by SideCopy and Xeno RAT, organizations must implement a layered defense strategy:

Block Macros and LNK Execution from the Internet:
- Enable Microsoft Office Attack Surface Reduction (ASR) Rule: "Block Office applications from creating child processes" and "Block Office applications from importing executable content".
- Configure Mark of the Web (MOTW) policies to prevent the execution of LNK files downloaded from the Internet.
Network Segmentation and Egress Filtering:
- Xeno RAT relies on persistent C2 connections. Implement strict egress filtering to allow only necessary business ports. Block non-essential outbound traffic on ports commonly abused by RATs (e.g., 8080, 4443, or dynamic high ports).
- Inspect DNS traffic for anomalies; SideCopy domains often use typosquatting or newly registered TLDs.
Application Control:
- Use AppLocker or Windows Defender Application Control (WDAC) to block PowerShell from running in the background (-w hidden) unless explicitly authorized.
- Deny execution of unsigned binaries in user profile directories (%APPDATA%, %TEMP%, %USERPROFILE%\Downloads).
User Awareness:
- Educate high-value targets (Finance Ministry employees) specifically regarding the dangers of ZIP files containing shortcuts, even if filenames appear locally relevant and in the native language.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

SideCopy APT: Xeno RAT Campaign Targeting Finance Sector — Detection and Hardening Guide