{ "type": "SHA256", "indicator": "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d", "validation": [], "base_indicator": { "id": 4386409682, "indicator": "e8acf19c73cf8ca19de75183469e917bf7371961", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a196f2fd88de848b913e4da", "name": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan", "description": "SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.", "modified": "2026-05-29T12:33:27.766000", "created": "2026-05-29T10:49:19.726000", "tags": [ "sidecopy", "xenorat", "transparent tribe", "apt36", "pashto lure", "provincial targeting", "spear phishing", "multi-stage loader", "afghanistan ministry of finance", "hta payload" ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/" ], "public": 1, "adversary": "SideCopy", "targeted_countries": [ "Afghanistan" ], "malware_families": [ { "id": "XenoRAT", "display_name": "XenoRAT", "target": null } ], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "IPv4": 2, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1307d4029f6780d5d47e90", "name": "Unknown | May 25, 2026", "description": "Unknown indicators. Date: May 25, 2026. Total: 298 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-24T14:14:43.940000", "created": "2026-05-24T14:14:43.940000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 298 }, "indicator_count": 298, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a13077f2b8e2c33523dcaba", "name": "Malicious_File | May 25, 2026", "description": "Malicious_File indicators. Date: May 25, 2026. Total: 363 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-24T14:13:19.156000", "created": "2026-05-24T14:13:19.156000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 363 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/", "https://ltna.com.au/cyber" ], "related": { "alienvault": { "adversary": [ "SideCopy" ], "malware_families": [ "Xenorat" ], "industries": [ "Government", "Finance" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a196f2fd88de848b913e4da", "name": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan", "description": "SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.", "modified": "2026-05-29T12:33:27.766000", "created": "2026-05-29T10:49:19.726000", "tags": [ "sidecopy", "xenorat", "transparent tribe", "apt36", "pashto lure", "provincial targeting", "spear phishing", "multi-stage loader", "afghanistan ministry of finance", "hta payload" ], "references": [ "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/" ], "public": 1, "adversary": "SideCopy", "targeted_countries": [ "Afghanistan" ], "malware_families": [ { "id": "XenoRAT", "display_name": "XenoRAT", "target": null } ], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "IPv4": 2, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1307d4029f6780d5d47e90", "name": "Unknown | May 25, 2026", "description": "Unknown indicators. Date: May 25, 2026. Total: 298 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-24T14:14:43.940000", "created": "2026-05-24T14:14:43.940000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 298 }, "indicator_count": 298, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a13077f2b8e2c33523dcaba", "name": "Malicious_File | May 25, 2026", "description": "Malicious_File indicators. Date: May 25, 2026. Total: 363 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-24T14:13:19.156000", "created": "2026-05-24T14:13:19.156000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 363 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170008.0709057 }