MalwareUsed by 5 actors

Xeno RAT

Xeno RAT is an open-source Windows remote access trojan written in C# and publicly available on GitHub. It is described as compatible with Windows 10 and Windows 11 and includes a builder for creating customized variants. Reported capabilities include remote command execution, data exfiltration/theft, file operations, loading and executing external DLL modules, keystroke logging, screenshot capture, clipboard monitoring, webcam and microphone access including live audio recording, antivirus information retrieval, SOCKS5 reverse proxy/network tunneling, hVNC hidden desktop functionality, persistence creation including scheduled tasks, and self-removal/uninstall features.

The malware has been observed in multiple intrusion sets and delivery chains. Seqrite reported a spear-phishing campaign dubbed Operation XENOFISCAL, likely conducted by the Pakistan-aligned SideCopy group (associated with Transparent Tribe/APT36), targeting Afghanistan’s Ministry of Finance and provincial finance/revenue entities. In that activity, phishing emails delivered ZIP archives containing Pashto-language malicious LNK files disguised as PDFs; execution invoked mshta.exe to fetch an HTA payload from a compromised Afghan domain, execute obfuscated JavaScript, establish registry persistence masquerading as Microsoft Edge, and deploy Xeno RAT 1.8.7 via a DLL loader alongside a decoy document. Seqrite described the campaign sample as a customized Xeno RAT with a hardcoded C2 domain hosted by a bulletproof provider in Bulgaria.

Xeno RAT has also been linked in reporting on DPRK-related activity. Fortinet noted earlier iterations of a Kimsuky-attributed campaign used LNK files and GitHub-based command-and-control to distribute Xeno RAT and its variant MoonPeak, consistent with prior ENKI and Trellix reporting. Separate reporting described Kimsuky targeting diplomatic missions in South Korea using phishing emails with ZIP/LNK payloads, GitHub for covert C2, and cloud services such as Dropbox and Daum Cloud to deliver the Xeno RAT variant MoonPeak.

Other observed delivery mechanisms include Discord CDN distribution via a shortcut file disguised as a WhatsApp screenshot that downloads a ZIP archive and proceeds through a multi-stage infection chain using DLL side-loading, persistence, and anti-analysis/anti-detection measures. Securonix also reported Xeno RAT as one of several payloads in the VOID#GEIST campaign, where phishing-delivered batch scripts fetched staged payloads from TryCloudflare infrastructure; a Python loader and the legitimate Microsoft binary AppInstallerPythonRedirector.exe were used to decrypt and launch Xeno RAT, with in-memory execution via injection into explorer.exe. Proofpoint additionally listed Xeno RAT among payloads historically used by the initial access broker TA584.

Cybereason highlighted Xeno RAT’s built-in hVNC capability as a standard feature and observed in testing that attackers could launch hidden Chrome and PowerShell sessions invisible to the victim, with a second explorer.exe associated with the hidden desktop. High-confidence associations in the provided content therefore include use by SideCopy against Afghan government finance targets, prior use/distribution in Kimsuky-linked GitHub-C2 activity, and broader use as a commodity/open-source RAT in phishing-led campaigns.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Transparent Tribe

The malware these steps were in service of, Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.

via dark readingdarkreading.com

SideCopy

via dark readingdarkreading.com

APT-36

via dark readingdarkreading.com

Kimsuky

Fortinet notes that earlier iterations of this activity delivered the Xeno RAT malware family. Similar GitHub-based C2 usage for distributing Xeno RAT and its variant MoonPeak was previously reported by ENKI and Trellix, both attributing the activity to Kimsuky.

via infosec writeupsinfosecwriteups.com

TA584

Proofpoint says TA584 has used a large number of payloads over the years, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

30 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1584Compromise InfrastructureEvidence1

the attackers hosted their remote payload on a compromised domain in the IP address space of Afghanistan's Ministry of Communication and Information Technology.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence3

The attacks began with spear-phishing emails. Those emails contained zip archives, with malicious LNK files disguised as PDFs.

Execution

6 techniques

T1053.005Scheduled TaskEvidence2

The malware is equipped to ... launch the malware via a scheduled task ...

T1059Command and Scripting InterpreterEvidence1

Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

T1059.003Windows Command ShellEvidence1

The RunProcessWithHiddenCmd() function is used to execute files or commands through cmd.exe.

T1059.007JavaScriptEvidence2

Upon execution, the LNK file uses mshta.exe to download a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript.

T1106Native APIEvidence1

the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... transfers execution to the injected buffer through the CreateThread() API.

T1204.002Malicious FileEvidence3

Those emails contained zip archives, with malicious LNK files disguised as PDFs.

Persistence

2 techniques

T1053.005Scheduled TaskEvidence2

The malware is equipped to ... launch the malware via a scheduled task ...

T1547.001Registry Run Keys / Startup FolderEvidence3

A couple of loaders followed, and the attackers established persistence via the Windows registry, disguising their task as a Microsoft Edge process.

Privilege Escalation

3 techniques

T1053.005Scheduled TaskEvidence2

The malware is equipped to ... launch the malware via a scheduled task ...

T1055Process InjectionEvidence1

the malware directly allocates executable memory within the current process using the Windows API VirtualAlloc()... copies the reconstructed shellcode buffer into the allocated region... and transfers execution to the injected buffer through the CreateThread() API.

T1547.001Registry Run Keys / Startup FolderEvidence3

A couple of loaders followed, and the attackers established persistence via the Windows registry, disguising their task as a Microsoft Edge process.

Stealth

7 techniques

T1027.011Fileless StorageEvidence1

This staged approach is commonly used in fileless malware... reconstruct the serialized payload entirely in memory without touching disk.

T1036MasqueradingEvidence3

A couple of loaders followed, and the attackers established persistence via the Windows registry, disguising their task as a Microsoft Edge process.

T1055Process InjectionEvidence1

T1070.004File DeletionEvidence1

It launches a hidden cmd.exe process with a Base64-decoded command (/C choice /C Y /N /D Y /T 3 & Del) that waits for a few seconds and then deletes the running executable file from disk.

T1218.005MshtaEvidence4

The LNK files used mshta to fetch an HTA payload, which then got decoded in-memory.

T1564.001Hidden Files and DirectoriesEvidence1

The malware creates a directory named USOShared-1de48789-1285 under C:\Users\Public\ to store the next-stage HTA payload... The directory naming convention mimics application-generated cache or profile folders.

T1620Reflective Code LoadingEvidence1

The embedded payload is then decrypted and loaded directly from memory using reflective techniques such as Assembly.Load(byte[]) , avoiding disk-based deployment entirely.

Credential Access

1 technique

T1056.001KeyloggingEvidence2

Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

Discovery

2 techniques

T1012Query RegistryEvidence1

The script then checks whether the .NET Framework version v4.0.30319 is installed by querying the registry path HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.

T1518Software DiscoveryEvidence1

GetAntivirus function retrieves antivirus information from the system using Windows Management Instrumentation (WMI) by querying the AntivirusProduct class under root\SecurityCenter2.

Collection

5 techniques

T1056.001KeyloggingEvidence2

Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

T1113Screen CaptureEvidence3

Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

T1115Clipboard DataEvidence1

The malware is equipped to ... monitor the clipboard ...

T1123Audio CaptureEvidence2

The malware is equipped to ... track webcam/microphone ...

T1125Video CaptureEvidence2

The malware is equipped to ... track webcam/microphone ...

Command and Control

6 techniques

T1071Application Layer ProtocolEvidence2

Xeno RAT, is an open source (OSS) remote stealer, customized in this case with a hardcoded command-and-control (C2) domain hosted by a bulletproof service in Bulgaria.

T1071.001Web ProtocolsEvidence1

the LNK silently leverages mshta.exe to fetch a remote HTA payload from a compromised Afghan education domain... hosted over HTTPS.

T1090ProxyEvidence1

Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

T1090.002External ProxyEvidence2

The malware is equipped to ... support SOCKS5 proxy-based network tunneling ...

T1573Encrypted ChannelEvidence1

data security is enforced using AES encryption, where raw data is encrypted with a shared key and fixed IV via CryptoStream, ensuring secure communication during transmission.

T1665Hide InfrastructureEvidence1

By running their malicious traffic through the government's own sovereign infrastructure, on a website situated next to more than 200 legitimate government and education sites, the hackers were able to blend their malicious traffic with proper state business.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

In Donut loaders, the shellcode bypass security mechanisms by patching functions such as AmsiScanBuffer() to disable AMSI scanning.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app

dark readingNews

Jun 4, 2026

Pakistan Spies on Afghan Finance Ministry With Xeno RAT

An open-source remote access trojan and stealer used in this campaign for espionage, customized with a hardcoded C2 domain.

dark readingNews

Jun 4, 2026

Rust-Written IronWorm Hits NPM Supply Chain

Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT

scworldNews

Jun 2, 2026

SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT | brief | SC Media

Open-source remote access trojan used in a spear-phishing campaign. It enables remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture.

the hacker newsNews

Jun 2, 2026

Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

An open-source remote access trojan used in spear-phishing campaigns. In this campaign it was dropped via a DLL-based loader and established registry-based persistence while enabling remote command handling, DLL module execution, scheduled task launch, antivirus discovery, SOCKS5 tunneling, file operations, keylogging, screenshots, clipboard monitoring, webcam/microphone tracking, persistence removal, and self-uninstall.

+17 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping30

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.