{
  "iim_version": "1.1",
  "chain_id": "seqrite.2026.operation-xenofiscal-sidecopy-xenorat",
  "title": "Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2",
  "description": "IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.",
  "actor_id": "SideCopy",
  "observed_at": "2026-05-29T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the campaign starts with a ZIP archive delivered through spear phishing and targeting Afghanistan Ministry of Finance and provincial Mustoufiats.",
        "SHA-256: 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e002",
      "type": "file",
      "value": "د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite identifies the Pashto malicious LNK file and translates the title as a list of employees introduced to the intellectual and psychological warfare seminar.",
        "SHA-256: 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "mshta.exe LOLBIN execution of remote HTA/PHP",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the LNK launches C:\\Windows\\System32\\mshta.exe and points it to a remote malicious PHP resource hosted on abimj.edu.af/index.php.",
        "Modeled as staging because it is the execution bridge to attacker-hosted HTA content, not attacker-controlled infrastructure itself."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e004",
      "type": "domain",
      "value": "abimj.edu.af",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes abimj.edu.af as the delivery domain and says it resolved to 103.132.98.224 and 103.132.98.226.",
        "Seqrite assesses this as delivery staged inside Afghan sovereign government/education infrastructure."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "http://abimj.edu.af/index.php",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the LNK command points mshta.exe to a remote malicious PHP resource at hxxp[:]//abimj.edu.af/index.php.",
        "The resource contains heavily obfuscated HTA/JavaScript loader content."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "ugayt.hta initial HTA/JavaScript payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite lists ugayt.hta in the IOC table and describes the remote PHP/HTA payload as obfuscated JavaScript with Base64 and .NET deserialization staging.",
        "SHA-256: A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "WayBroad.dll Stage-1 .NET loader DLL",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes a Stage-1 .NET loader DLL responsible for next-stage payload execution, persistence, and in-memory staging.",
        "WayBroad.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
        "SHA-256: 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
      "x_mapping_confidence": "likely"
    },
    {
      "id": "e008",
      "type": "url",
      "value": "http://abimj.edu.af/institute/cloudiyaf/document.pdf",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-1 loader downloads and opens the decoy PDF from hxxp[:]//abimj.edu.af/institute/cloudiyaf/document.pdf.",
        "SHA-256 for decoy PDF: DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e009",
      "type": "url",
      "value": "http://abimj.edu.af/institute/cloudiya/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states CopyExeToUsersPublic downloads the encoded next-stage HTA payload from hxxp[:]//abimj.edu.af/institute/cloudiya/.",
        "The downloaded payload is decompressed and decoded into zuidrt.hta."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "zuidrt.hta persistent next-stage HTA payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the loader reconstructs zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285 and persists it through a Run key value named Edgre.",
        "SHA-256: 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e011",
      "type": "url",
      "value": "https://abimj.edu.af/institute/10/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/10/ for next-stage payload retrieval.",
        "The endpoint is selected dynamically based on victim OS version."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e012",
      "type": "url",
      "value": "https://abimj.edu.af/institute/7/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/7/ as an alternate payload location for Windows 7 compatibility.",
        "The endpoint is selected dynamically based on victim OS version."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "ayui.vmxx encrypted/compressed next-stage blob",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 DLL downloads the encrypted payload and stores it locally as ayui.vmxx.",
        "The file contains Base64-encoded and GZIP-compressed data used to reconstruct shellcode."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "ayhui.vmxx reconstructed shellcode container",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the fully reconstructed payload is written locally as ayhui.vmxx before shellcode execution.",
        "This file is an intermediate shellcode container rather than a standalone published IOC hash in the text."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e015",
      "type": "file",
      "value": "Aotestpass.dll Stage-2 loader DLL and shellcode bridge",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes a Stage-2 .NET loader DLL responsible for retrieving, decoding, decompressing, and executing the next-stage payload entirely in memory.",
        "Aotestpass.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
        "SHA-256: 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
      "x_mapping_confidence": "likely"
    },
    {
      "id": "e016",
      "type": "file",
      "value": "XenoRAT 1.8.7 final payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite identifies XenoRAT as the final payload, an open-source RAT with encrypted TCP C2, surveillance, file management, proxying, and persistence capabilities.",
        "SHA-256: 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e017",
      "type": "ip",
      "value": "185.235.137.106",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states XenoRAT initializes a secure C2 channel using hardcoded IP 185.235.137.106.",
        "Seqrite says the host is on AS59711 HZ Hosting Ltd, a Bulgaria-registered provider with Frankfurt physical presence."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e018",
      "type": "ip",
      "value": "103.132.98.224",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e019",
      "type": "ip",
      "value": "103.132.98.226",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "likely",
      "needs_review": false,
      "review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
    },
    {
      "entity_id": "e008",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "staging",
      "techniques": [
        "IIM-T004",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "OS-version based endpoint selection is a client/request-context gate; modeled as likely request/client gating."
    },
    {
      "entity_id": "e012",
      "role": "staging",
      "techniques": [
        "IIM-T004",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "Alternate Windows 7 endpoint; modeled as likely request/client gating."
    },
    {
      "entity_id": "e013",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "payload",
      "techniques": [],
      "role_confidence": "likely",
      "needs_review": false,
      "review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
    },
    {
      "entity_id": "e016",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T003"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e018",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e019",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states the ZIP contains the Pashto malicious LNK."
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "execute",
      "sequence_order": 2,
      "confidence": "confirmed",
      "x_evidence": "The LNK launches mshta.exe from C:\\Windows\\System32."
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "download",
      "sequence_order": 3,
      "confidence": "confirmed",
      "x_evidence": "mshta.exe points to the remote malicious PHP resource at abimj.edu.af/index.php."
    },
    {
      "from": "e004",
      "to": "e018",
      "type": "resolves-to",
      "sequence_order": 4,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.224."
    },
    {
      "from": "e004",
      "to": "e019",
      "type": "resolves-to",
      "sequence_order": 5,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.226."
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "drops",
      "sequence_order": 6,
      "confidence": "confirmed",
      "x_evidence": "The remote PHP/HTA resource contains the obfuscated initial HTA/JavaScript payload; ugayt.hta is listed as an IOC."
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "execute",
      "sequence_order": 7,
      "confidence": "likely",
      "x_evidence": "Seqrite describes the HTA/JavaScript as reconstructing and executing a .NET loader DLL in memory; filename mapping to WayBroad.dll is inferred from the IOC table."
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "download",
      "sequence_order": 8,
      "confidence": "confirmed",
      "x_evidence": "Stage-1 loader downloads decoy PDF from /institute/cloudiyaf/document.pdf."
    },
    {
      "from": "e007",
      "to": "e009",
      "type": "download",
      "sequence_order": 9,
      "confidence": "confirmed",
      "x_evidence": "Stage-1 loader downloads the encoded HTA payload from /institute/cloudiya/."
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "drops",
      "sequence_order": 10,
      "confidence": "confirmed",
      "x_evidence": "The downloaded payload is decoded/decompressed and reconstructed as zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285."
    },
    {
      "from": "e010",
      "to": "e015",
      "type": "execute",
      "sequence_order": 11,
      "confidence": "likely",
      "x_evidence": "zuidrt.hta reconstructs the embedded Stage-2 loader DLL in memory; filename mapping to Aotestpass.dll is inferred from the IOC table."
    },
    {
      "from": "e015",
      "to": "e011",
      "type": "download",
      "sequence_order": 12,
      "confidence": "confirmed",
      "x_evidence": "Stage-2 loader contains hardcoded URL /institute/10/ for next-stage payload retrieval."
    },
    {
      "from": "e015",
      "to": "e012",
      "type": "download",
      "sequence_order": 13,
      "confidence": "confirmed",
      "x_evidence": "Stage-2 loader contains hardcoded alternate URL /institute/7/ for Windows 7 compatibility."
    },
    {
      "from": "e011",
      "to": "e013",
      "type": "drops",
      "sequence_order": 14,
      "confidence": "confirmed",
      "x_evidence": "The downloaded payload is stored locally as ayui.vmxx."
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 15,
      "confidence": "confirmed",
      "x_evidence": "The alternate endpoint also serves the payload stored as ayui.vmxx."
    },
    {
      "from": "e013",
      "to": "e014",
      "type": "drops",
      "sequence_order": 16,
      "confidence": "confirmed",
      "x_evidence": "ayui.vmxx is decoded/decompressed and written as ayhui.vmxx prior to shellcode execution."
    },
    {
      "from": "e014",
      "to": "e016",
      "type": "execute",
      "sequence_order": 17,
      "confidence": "confirmed",
      "x_evidence": "The reconstructed shellcode initializes CLR and loads the final XenoRAT payload in memory."
    },
    {
      "from": "e016",
      "to": "e017",
      "type": "connect",
      "sequence_order": 18,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states XenoRAT uses hardcoded IP 185.235.137.106 for secure C2 communication."
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Spearphishing Attachment",
      "tactic": "Initial Access"
    },
    {
      "technique_id": "T1218.005",
      "name": "Mshta",
      "tactic": "Defense Evasion"
    },
    {
      "technique_id": "T1059.007",
      "name": "JavaScript",
      "tactic": "Execution"
    },
    {
      "technique_id": "T1547.001",
      "name": "Registry Run Keys / Startup Folder",
      "tactic": "Persistence"
    },
    {
      "technique_id": "T1053.005",
      "name": "Scheduled Task",
      "tactic": "Persistence"
    },
    {
      "technique_id": "T1620",
      "name": "Reflective Code Loading",
      "tactic": "Defense Evasion"
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1573",
      "name": "Encrypted Channel",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1090.002",
      "name": "Proxy: External Proxy",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1113",
      "name": "Screen Capture",
      "tactic": "Collection"
    },
    {
      "technique_id": "T1056.001",
      "name": "Keylogging",
      "tactic": "Collection"
    }
  ],
  "x_source": "Seqrite Labs",
  "x_source_urls": [
    "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
  ],
  "x_resource_links_verified": true,
  "x_iocs": {
    "sha256": [
      "194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14",
      "3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01",
      "DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB",
      "A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67",
      "5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45",
      "99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D",
      "8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A",
      "0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772",
      "9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
    ],
    "domains": [
      "abimj.edu.af"
    ],
    "ips": [
      "103.132.98.224",
      "103.132.98.226",
      "185.235.137.106"
    ],
    "urls": [
      "http://abimj.edu.af/index.php",
      "http://abimj.edu.af/institute/cloudiyaf/document.pdf",
      "http://abimj.edu.af/institute/cloudiya/",
      "https://abimj.edu.af/institute/10/",
      "https://abimj.edu.af/institute/7/"
    ]
  },
  "x_limitations": [
    "Seqrite publishes the delivery domain, IPs, payload paths, hashes, and XenoRAT C2 IP, but does not publish the original sender, mail headers, or actor-registered throwaway domain names mentioned as clusters on 185.235.137.106.",
    "WayBroad.dll and Aotestpass.dll are mapped to Stage-1/Stage-2 loader roles with likely confidence based on the narrative plus IOC table rather than an explicit filename-to-stage sentence.",
    "Endpoint behavior such as Registry Run persistence, AMSI bypass, CLR initialization, screen capture, keylogging, and self-deletion is captured via ATT&CK/evidence, not IIM techniques."
  ],
  "x_selection_reason": "Strong IIM fit: spearphishing ZIP, compromised Afghan education/government-adjacent delivery infrastructure, multi-stage HTA/.NET payload staging, OS-aware payload endpoint selection, and separated European C2 hosting.",
  "x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting.",
  "x_source_title": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan",
  "x_source_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
}