{ "type": "SHA256", "indicator": "194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14", "validation": [], "base_indicator": { "id": 4386409679, "indicator": "2f7f6347c4b1a24ce18ccc4d5f2ff88c0ca29a9b", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a196f2fd88de848b913e4da", "name": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan", "description": "SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.", "modified": "2026-05-29T12:33:27.766000", "created": "2026-05-29T10:49:19.726000", "tags": [ "sidecopy", "xenorat", "transparent tribe", "apt36", "pashto lure", "provincial targeting", "spear phishing", "multi-stage loader", "afghanistan ministry of finance", "hta payload" ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/" ], "public": 1, "adversary": "SideCopy", "targeted_countries": [ "Afghanistan" ], "malware_families": [ { "id": "XenoRAT", "display_name": "XenoRAT", "target": null } ], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "IPv4": 2, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1af0e3d0cae2ea8e96f221", "name": "Unknown | May 31, 2026", "description": "Unknown indicators. Date: May 31, 2026. Total: 308 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:14:59.656000", "created": "2026-05-30T14:14:59.656000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 308 }, "indicator_count": 308, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "5 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1af08a9ca86cfcdb032b2f", "name": "Malicious_File | May 31, 2026", "description": "Malicious_File indicators. Date: May 31, 2026. Total: 498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:13:30.440000", "created": "2026-05-30T14:13:30.440000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 498 }, "indicator_count": 498, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "5 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a199f5a004561d844afbcca", "name": "Unknown | May 30, 2026", "description": "Unknown indicators. Date: May 30, 2026. Total: 370 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:14:50.161000", "created": "2026-05-29T14:14:50.161000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 370 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a199f037a9944e08910e856", "name": "Malicious_File | May 30, 2026", "description": "Malicious_File indicators. Date: May 30, 2026. Total: 895 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:23.267000", "created": "2026-05-29T14:13:23.267000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 895 }, "indicator_count": 895, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/", "https://ltna.com.au/cyber" ], "related": { "alienvault": { "adversary": [ "SideCopy" ], "malware_families": [ "Xenorat" ], "industries": [ "Finance", "Government" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a196f2fd88de848b913e4da", "name": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan", "description": "SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.", "modified": "2026-05-29T12:33:27.766000", "created": "2026-05-29T10:49:19.726000", "tags": [ "sidecopy", "xenorat", "transparent tribe", "apt36", "pashto lure", "provincial targeting", "spear phishing", "multi-stage loader", "afghanistan ministry of finance", "hta payload" ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/" ], "public": 1, "adversary": "SideCopy", "targeted_countries": [ "Afghanistan" ], "malware_families": [ { "id": "XenoRAT", "display_name": "XenoRAT", "target": null } ], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "IPv4": 2, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1af0e3d0cae2ea8e96f221", "name": "Unknown | May 31, 2026", "description": "Unknown indicators. Date: May 31, 2026. Total: 308 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:14:59.656000", "created": "2026-05-30T14:14:59.656000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 308 }, "indicator_count": 308, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "5 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1af08a9ca86cfcdb032b2f", "name": "Malicious_File | May 31, 2026", "description": "Malicious_File indicators. Date: May 31, 2026. Total: 498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:13:30.440000", "created": "2026-05-30T14:13:30.440000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 498 }, "indicator_count": 498, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "5 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a199f5a004561d844afbcca", "name": "Unknown | May 30, 2026", "description": "Unknown indicators. Date: May 30, 2026. Total: 370 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:14:50.161000", "created": "2026-05-29T14:14:50.161000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 370 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a199f037a9944e08910e856", "name": "Malicious_File | May 30, 2026", "description": "Malicious_File indicators. Date: May 30, 2026. Total: 895 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:23.267000", "created": "2026-05-29T14:13:23.267000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 895 }, "indicator_count": 895, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "194b912c242604d6f9a79369f22338c58a13ce0cc2ed280ce505075808bc2f14", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170003.0068524 }