SideCopy Resurfaces: Xeno RAT & LNK Deception in Afghan MOF Attacks
Saw the report on The Hacker News this morning about SideCopy pivoting back to target the Afghan Ministry of Finance. It's interesting to see them sticking to the old reliable ZIP + LNK delivery method, but this time they’re deploying Xeno RAT, an open-source C# remote access trojan.
For those who haven't dug into Xeno RAT yet, it's fairly feature-rich for an open-source project—offering keylogging, audio capture, and remote desktop capabilities. Since it's .NET-based, it often flags slightly differently in EDR telemetry than your standard C/C++ malware, depending on the obfuscation level.
The campaign relies heavily on social engineering, using Pashto-language filenames in the LNK files to increase the success rate of the spear-phishing hook. The LNK file typically executes a PowerShell or CMD command to retrieve the next stage.
If you're hunting for this in your environment, specifically look for ZIP archives containing LNK files. A quick way to scan user download directories for this vector is using this PowerShell snippet:
Get-ChildItem -Path "C:\Users\*\Downloads" -Filter *.zip -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$archive = [System.IO.Compression.ZipFile]::OpenRead($_.FullName)
$lnkFiles = $archive.Entries | Where-Object { $_.Name -match '\.lnk$' }
if ($lnkFiles) {
Write-Host "Potential threat found in: $($_.FullName)"
$lnkFiles | ForEach-Object { Write-Host " - $($_.FullName)" }
}
$archive.Dispose()
} catch {}
}
Since this is open-source, we can expect the signatures to change rapidly as other groups adopt Xeno RAT. I'm currently looking for behavioral anomalies, specifically cmd.exe or powershell.exe spawning directly from explorer.exe with archive-related arguments.
Has anyone else started seeing Xeno RAT in the wild outside of this specific geopolitical targeting? I'm curious if the C2 infrastructure has any overlaps with previous SideCopy campaigns.
We've actually seen a spike in similar LNK-over-Email deliveries in the past week, though not confirmed as SideCopy yet. The use of Xeno RAT is notable because its C2 traffic can look a lot like standard web browsing if you aren't inspecting payloads closely.
I recommend adding a Sigma rule for explorer.exe spawning child processes that aren't standard file associations. Also, check for persistence via Scheduled Tasks, as Xeno RAT often prefers that over Registry Run keys.
Good post. I've been analyzing Xeno RAT samples for a few months. One thing to note is that newer versions often implement anti-analysis checks (debuggers/sandbox) that can crash your automated detonation sandboxes.
If you're doing dynamic analysis, make sure you're masking your hypervisor flags. For detection, we've had success hunting for the specific .NET assembly loading patterns it uses when injecting into legitimate processes like notepad.exe.
Is ZIP blocking still viable? We've been debating removing the block on password-protected archives at the gateway because of false positives with business partners. But seeing this resurgence makes me hesitant.
We're currently using Office 365 Safe Links, but it doesn't scan inside attached ZIPs effectively. Anyone using a specific secure email gateway (SEG) that handles nested archive scanning well without killing latency?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access