seqrite.2026.operation-xenofiscal-sidecopy-xenorat
Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2
IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel
file
د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk
file
mshta.exe LOLBIN execution of remote HTA/PHP
domain
abimj.edu.af
url
http://abimj.edu.af/index.php
file
ugayt.hta initial HTA/JavaScript payload
file
WayBroad.dll Stage-1 .NET loader DLL
url
http://abimj.edu.af/institute/cloudiyaf/document.pdf
url
http://abimj.edu.af/institute/cloudiya/
file
zuidrt.hta persistent next-stage HTA payload
url
https://abimj.edu.af/institute/10/
url
https://abimj.edu.af/institute/7/
file
ayui.vmxx encrypted/compressed next-stage blob
file
ayhui.vmxx reconstructed shellcode container
file
Aotestpass.dll Stage-2 loader DLL and shellcode bridge
file
XenoRAT 1.8.7 final payload
ip
185.235.137.106
ip
103.132.98.224
ip
103.132.98.226
Relations
directed infrastructure edgese001referencese002
confirmed
e002executee003
confirmed
e003downloade005
confirmed
e004resolves-toe018
confirmed
e004resolves-toe019
confirmed
e005dropse006
confirmed
e006executee007
likely
e007downloade008
confirmed
e007downloade009
confirmed
e009dropse010
confirmed
e010executee015
likely
e015downloade011
confirmed
e015downloade012
confirmed
e011dropse013
confirmed
e012dropse013
confirmed
e013dropse014
confirmed
e014executee016
confirmed
e016connecte017
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel |
Seqrite states the campaign starts with a ZIP archive delivered through spear phishing and targeting Afghanistan Ministry of Finance and provincial Mustoufiats. SHA-256: 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14 |
e002 |
file | د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk |
Seqrite identifies the Pashto malicious LNK file and translates the title as a list of employees introduced to the intellectual and psychological warfare seminar. SHA-256: 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01 |
e003 |
file | mshta.exe LOLBIN execution of remote HTA/PHP |
Seqrite states the LNK launches C:\Windows\System32\mshta.exe and points it to a remote malicious PHP resource hosted on abimj.edu.af/index.php. Modeled as staging because it is the execution bridge to attacker-hosted HTA content, not attacker-controlled infrastructure itself. |
e004 |
domain | abimj.edu.af |
Seqrite describes abimj.edu.af as the delivery domain and says it resolved to 103.132.98.224 and 103.132.98.226. Seqrite assesses this as delivery staged inside Afghan sovereign government/education infrastructure. |
e005 |
url | http://abimj.edu.af/index.php |
Seqrite states the LNK command points mshta.exe to a remote malicious PHP resource at hxxp[:]//abimj.edu.af/index.php. The resource contains heavily obfuscated HTA/JavaScript loader content. |
e006 |
file | ugayt.hta initial HTA/JavaScript payload |
Seqrite lists ugayt.hta in the IOC table and describes the remote PHP/HTA payload as obfuscated JavaScript with Base64 and .NET deserialization staging. SHA-256: A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67 |
e007 |
file | WayBroad.dll Stage-1 .NET loader DLL |
Seqrite describes a Stage-1 .NET loader DLL responsible for next-stage payload execution, persistence, and in-memory staging. WayBroad.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash. SHA-256: 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A |
e008 |
url | http://abimj.edu.af/institute/cloudiyaf/document.pdf |
Seqrite states the Stage-1 loader downloads and opens the decoy PDF from hxxp[:]//abimj.edu.af/institute/cloudiyaf/document.pdf. SHA-256 for decoy PDF: DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB |
e009 |
url | http://abimj.edu.af/institute/cloudiya/ |
Seqrite states CopyExeToUsersPublic downloads the encoded next-stage HTA payload from hxxp[:]//abimj.edu.af/institute/cloudiya/. The downloaded payload is decompressed and decoded into zuidrt.hta. |
e010 |
file | zuidrt.hta persistent next-stage HTA payload |
Seqrite states the loader reconstructs zuidrt.hta under C:\Users\Public\USOShared-1de48789-1285 and persists it through a Run key value named Edgre. SHA-256: 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D |
e011 |
url | https://abimj.edu.af/institute/10/ |
Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/10/ for next-stage payload retrieval. The endpoint is selected dynamically based on victim OS version. |
e012 |
url | https://abimj.edu.af/institute/7/ |
Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/7/ as an alternate payload location for Windows 7 compatibility. The endpoint is selected dynamically based on victim OS version. |
e013 |
file | ayui.vmxx encrypted/compressed next-stage blob |
Seqrite states the Stage-2 DLL downloads the encrypted payload and stores it locally as ayui.vmxx. The file contains Base64-encoded and GZIP-compressed data used to reconstruct shellcode. |
e014 |
file | ayhui.vmxx reconstructed shellcode container |
Seqrite states the fully reconstructed payload is written locally as ayhui.vmxx before shellcode execution. This file is an intermediate shellcode container rather than a standalone published IOC hash in the text. |
e015 |
file | Aotestpass.dll Stage-2 loader DLL and shellcode bridge |
Seqrite describes a Stage-2 .NET loader DLL responsible for retrieving, decoding, decompressing, and executing the next-stage payload entirely in memory. Aotestpass.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash. SHA-256: 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772 |
e016 |
file | XenoRAT 1.8.7 final payload |
Seqrite identifies XenoRAT as the final payload, an open-source RAT with encrypted TCP C2, surveillance, file management, proxying, and persistence capabilities. SHA-256: 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14 |
e017 |
ip | 185.235.137.106 |
Seqrite states XenoRAT initializes a secure C2 channel using hardcoded IP 185.235.137.106. Seqrite says the host is on AS59711 HZ Hosting Ltd, a Bulgaria-registered provider with Frankfurt physical presence. |
e018 |
ip | 103.132.98.224 |
Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology. |
e019 |
ip | 103.132.98.226 |
Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology. |
ATT&CK annotations
optional complementary mappingRaw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "seqrite.2026.operation-xenofiscal-sidecopy-xenorat",
"title": "Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2",
"description": "IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.",
"actor_id": "SideCopy",
"observed_at": "2026-05-29T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"entities": [
{
"id": "e001",
"type": "file",
"value": "spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the campaign starts with a ZIP archive delivered through spear phishing and targeting Afghanistan Ministry of Finance and provincial Mustoufiats.",
"SHA-256: 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e002",
"type": "file",
"value": "د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite identifies the Pashto malicious LNK file and translates the title as a list of employees introduced to the intellectual and psychological warfare seminar.",
"SHA-256: 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e003",
"type": "file",
"value": "mshta.exe LOLBIN execution of remote HTA/PHP",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the LNK launches C:\\Windows\\System32\\mshta.exe and points it to a remote malicious PHP resource hosted on abimj.edu.af/index.php.",
"Modeled as staging because it is the execution bridge to attacker-hosted HTA content, not attacker-controlled infrastructure itself."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e004",
"type": "domain",
"value": "abimj.edu.af",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite describes abimj.edu.af as the delivery domain and says it resolved to 103.132.98.224 and 103.132.98.226.",
"Seqrite assesses this as delivery staged inside Afghan sovereign government/education infrastructure."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e005",
"type": "url",
"value": "http://abimj.edu.af/index.php",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the LNK command points mshta.exe to a remote malicious PHP resource at hxxp[:]//abimj.edu.af/index.php.",
"The resource contains heavily obfuscated HTA/JavaScript loader content."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e006",
"type": "file",
"value": "ugayt.hta initial HTA/JavaScript payload",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite lists ugayt.hta in the IOC table and describes the remote PHP/HTA payload as obfuscated JavaScript with Base64 and .NET deserialization staging.",
"SHA-256: A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e007",
"type": "file",
"value": "WayBroad.dll Stage-1 .NET loader DLL",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite describes a Stage-1 .NET loader DLL responsible for next-stage payload execution, persistence, and in-memory staging.",
"WayBroad.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
"SHA-256: 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
"x_mapping_confidence": "likely"
},
{
"id": "e008",
"type": "url",
"value": "http://abimj.edu.af/institute/cloudiyaf/document.pdf",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the Stage-1 loader downloads and opens the decoy PDF from hxxp[:]//abimj.edu.af/institute/cloudiyaf/document.pdf.",
"SHA-256 for decoy PDF: DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e009",
"type": "url",
"value": "http://abimj.edu.af/institute/cloudiya/",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states CopyExeToUsersPublic downloads the encoded next-stage HTA payload from hxxp[:]//abimj.edu.af/institute/cloudiya/.",
"The downloaded payload is decompressed and decoded into zuidrt.hta."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e010",
"type": "file",
"value": "zuidrt.hta persistent next-stage HTA payload",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the loader reconstructs zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285 and persists it through a Run key value named Edgre.",
"SHA-256: 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e011",
"type": "url",
"value": "https://abimj.edu.af/institute/10/",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/10/ for next-stage payload retrieval.",
"The endpoint is selected dynamically based on victim OS version."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e012",
"type": "url",
"value": "https://abimj.edu.af/institute/7/",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/7/ as an alternate payload location for Windows 7 compatibility.",
"The endpoint is selected dynamically based on victim OS version."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e013",
"type": "file",
"value": "ayui.vmxx encrypted/compressed next-stage blob",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the Stage-2 DLL downloads the encrypted payload and stores it locally as ayui.vmxx.",
"The file contains Base64-encoded and GZIP-compressed data used to reconstruct shellcode."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e014",
"type": "file",
"value": "ayhui.vmxx reconstructed shellcode container",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states the fully reconstructed payload is written locally as ayhui.vmxx before shellcode execution.",
"This file is an intermediate shellcode container rather than a standalone published IOC hash in the text."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e015",
"type": "file",
"value": "Aotestpass.dll Stage-2 loader DLL and shellcode bridge",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite describes a Stage-2 .NET loader DLL responsible for retrieving, decoding, decompressing, and executing the next-stage payload entirely in memory.",
"Aotestpass.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
"SHA-256: 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
"x_mapping_confidence": "likely"
},
{
"id": "e016",
"type": "file",
"value": "XenoRAT 1.8.7 final payload",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite identifies XenoRAT as the final payload, an open-source RAT with encrypted TCP C2, surveillance, file management, proxying, and persistence capabilities.",
"SHA-256: 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e017",
"type": "ip",
"value": "185.235.137.106",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states XenoRAT initializes a secure C2 channel using hardcoded IP 185.235.137.106.",
"Seqrite says the host is on AS59711 HZ Hosting Ltd, a Bulgaria-registered provider with Frankfurt physical presence."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e018",
"type": "ip",
"value": "103.132.98.224",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
},
{
"id": "e019",
"type": "ip",
"value": "103.132.98.226",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
"evidence": [
"Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
],
"x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e002",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e005",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e006",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e007",
"role": "staging",
"techniques": [],
"role_confidence": "likely",
"needs_review": false,
"review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
},
{
"entity_id": "e008",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e009",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e010",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e011",
"role": "staging",
"techniques": [
"IIM-T004",
"IIM-T021"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"review_notes": "OS-version based endpoint selection is a client/request-context gate; modeled as likely request/client gating."
},
{
"entity_id": "e012",
"role": "staging",
"techniques": [
"IIM-T004",
"IIM-T021"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"review_notes": "Alternate Windows 7 endpoint; modeled as likely request/client gating."
},
{
"entity_id": "e013",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e014",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e015",
"role": "payload",
"techniques": [],
"role_confidence": "likely",
"needs_review": false,
"review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
},
{
"entity_id": "e016",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e017",
"role": "c2",
"techniques": [
"IIM-T003"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e018",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e019",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "references",
"sequence_order": 1,
"confidence": "confirmed",
"x_evidence": "Seqrite states the ZIP contains the Pashto malicious LNK."
},
{
"from": "e002",
"to": "e003",
"type": "execute",
"sequence_order": 2,
"confidence": "confirmed",
"x_evidence": "The LNK launches mshta.exe from C:\\Windows\\System32."
},
{
"from": "e003",
"to": "e005",
"type": "download",
"sequence_order": 3,
"confidence": "confirmed",
"x_evidence": "mshta.exe points to the remote malicious PHP resource at abimj.edu.af/index.php."
},
{
"from": "e004",
"to": "e018",
"type": "resolves-to",
"sequence_order": 4,
"confidence": "confirmed",
"x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.224."
},
{
"from": "e004",
"to": "e019",
"type": "resolves-to",
"sequence_order": 5,
"confidence": "confirmed",
"x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.226."
},
{
"from": "e005",
"to": "e006",
"type": "drops",
"sequence_order": 6,
"confidence": "confirmed",
"x_evidence": "The remote PHP/HTA resource contains the obfuscated initial HTA/JavaScript payload; ugayt.hta is listed as an IOC."
},
{
"from": "e006",
"to": "e007",
"type": "execute",
"sequence_order": 7,
"confidence": "likely",
"x_evidence": "Seqrite describes the HTA/JavaScript as reconstructing and executing a .NET loader DLL in memory; filename mapping to WayBroad.dll is inferred from the IOC table."
},
{
"from": "e007",
"to": "e008",
"type": "download",
"sequence_order": 8,
"confidence": "confirmed",
"x_evidence": "Stage-1 loader downloads decoy PDF from /institute/cloudiyaf/document.pdf."
},
{
"from": "e007",
"to": "e009",
"type": "download",
"sequence_order": 9,
"confidence": "confirmed",
"x_evidence": "Stage-1 loader downloads the encoded HTA payload from /institute/cloudiya/."
},
{
"from": "e009",
"to": "e010",
"type": "drops",
"sequence_order": 10,
"confidence": "confirmed",
"x_evidence": "The downloaded payload is decoded/decompressed and reconstructed as zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285."
},
{
"from": "e010",
"to": "e015",
"type": "execute",
"sequence_order": 11,
"confidence": "likely",
"x_evidence": "zuidrt.hta reconstructs the embedded Stage-2 loader DLL in memory; filename mapping to Aotestpass.dll is inferred from the IOC table."
},
{
"from": "e015",
"to": "e011",
"type": "download",
"sequence_order": 12,
"confidence": "confirmed",
"x_evidence": "Stage-2 loader contains hardcoded URL /institute/10/ for next-stage payload retrieval."
},
{
"from": "e015",
"to": "e012",
"type": "download",
"sequence_order": 13,
"confidence": "confirmed",
"x_evidence": "Stage-2 loader contains hardcoded alternate URL /institute/7/ for Windows 7 compatibility."
},
{
"from": "e011",
"to": "e013",
"type": "drops",
"sequence_order": 14,
"confidence": "confirmed",
"x_evidence": "The downloaded payload is stored locally as ayui.vmxx."
},
{
"from": "e012",
"to": "e013",
"type": "drops",
"sequence_order": 15,
"confidence": "confirmed",
"x_evidence": "The alternate endpoint also serves the payload stored as ayui.vmxx."
},
{
"from": "e013",
"to": "e014",
"type": "drops",
"sequence_order": 16,
"confidence": "confirmed",
"x_evidence": "ayui.vmxx is decoded/decompressed and written as ayhui.vmxx prior to shellcode execution."
},
{
"from": "e014",
"to": "e016",
"type": "execute",
"sequence_order": 17,
"confidence": "confirmed",
"x_evidence": "The reconstructed shellcode initializes CLR and loads the final XenoRAT payload in memory."
},
{
"from": "e016",
"to": "e017",
"type": "connect",
"sequence_order": 18,
"confidence": "confirmed",
"x_evidence": "Seqrite states XenoRAT uses hardcoded IP 185.235.137.106 for secure C2 communication."
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Spearphishing Attachment",
"tactic": "Initial Access"
},
{
"technique_id": "T1218.005",
"name": "Mshta",
"tactic": "Defense Evasion"
},
{
"technique_id": "T1059.007",
"name": "JavaScript",
"tactic": "Execution"
},
{
"technique_id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"tactic": "Persistence"
},
{
"technique_id": "T1053.005",
"name": "Scheduled Task",
"tactic": "Persistence"
},
{
"technique_id": "T1620",
"name": "Reflective Code Loading",
"tactic": "Defense Evasion"
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control"
},
{
"technique_id": "T1573",
"name": "Encrypted Channel",
"tactic": "Command and Control"
},
{
"technique_id": "T1090.002",
"name": "Proxy: External Proxy",
"tactic": "Command and Control"
},
{
"technique_id": "T1113",
"name": "Screen Capture",
"tactic": "Collection"
},
{
"technique_id": "T1056.001",
"name": "Keylogging",
"tactic": "Collection"
}
],
"x_source": "Seqrite Labs",
"x_source_urls": [
"https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
],
"x_resource_links_verified": true,
"x_iocs": {
"sha256": [
"194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14",
"3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01",
"DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB",
"A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67",
"5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45",
"99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D",
"8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A",
"0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772",
"9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
],
"domains": [
"abimj.edu.af"
],
"ips": [
"103.132.98.224",
"103.132.98.226",
"185.235.137.106"
],
"urls": [
"http://abimj.edu.af/index.php",
"http://abimj.edu.af/institute/cloudiyaf/document.pdf",
"http://abimj.edu.af/institute/cloudiya/",
"https://abimj.edu.af/institute/10/",
"https://abimj.edu.af/institute/7/"
]
},
"x_limitations": [
"Seqrite publishes the delivery domain, IPs, payload paths, hashes, and XenoRAT C2 IP, but does not publish the original sender, mail headers, or actor-registered throwaway domain names mentioned as clusters on 185.235.137.106.",
"WayBroad.dll and Aotestpass.dll are mapped to Stage-1/Stage-2 loader roles with likely confidence based on the narrative plus IOC table rather than an explicit filename-to-stage sentence.",
"Endpoint behavior such as Registry Run persistence, AMSI bypass, CLR initialization, screen capture, keylogging, and self-deletion is captured via ATT&CK/evidence, not IIM techniques."
],
"x_selection_reason": "Strong IIM fit: spearphishing ZIP, compromised Afghan education/government-adjacent delivery infrastructure, multi-stage HTA/.NET payload staging, OS-aware payload endpoint selection, and separated European C2 hosting.",
"x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting.",
"x_source_title": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan",
"x_source_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
}