← feed

seqrite.2026.operation-xenofiscal-sidecopy-xenorat

Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2

IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.

confirmed IIM v1.1 SideCopy
Raw JSON
entities19
relations18
techniques4
published2026-05-29 20:01:27

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel

IIM-T024
2
entry

file

د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk

3
staging

file

mshta.exe LOLBIN execution of remote HTA/PHP

4
staging

domain

abimj.edu.af

IIM-T004
5
staging

url

http://abimj.edu.af/index.php

IIM-T004
6
staging

file

ugayt.hta initial HTA/JavaScript payload

7
staging

file

WayBroad.dll Stage-1 .NET loader DLL

8
staging

url

http://abimj.edu.af/institute/cloudiyaf/document.pdf

IIM-T004
9
staging

url

http://abimj.edu.af/institute/cloudiya/

IIM-T004
10
staging

file

zuidrt.hta persistent next-stage HTA payload

11
staging

url

https://abimj.edu.af/institute/10/

IIM-T004IIM-T021
12
staging

url

https://abimj.edu.af/institute/7/

IIM-T004IIM-T021
13
staging

file

ayui.vmxx encrypted/compressed next-stage blob

14
payload

file

ayhui.vmxx reconstructed shellcode container

15
payload

file

Aotestpass.dll Stage-2 loader DLL and shellcode bridge

16
payload

file

XenoRAT 1.8.7 final payload

17
c2

ip

185.235.137.106

IIM-T003
18
staging

ip

103.132.98.224

IIM-T004
19
staging

ip

103.132.98.226

IIM-T004

Relations

directed infrastructure edges
e001referencese002 confirmed
e002executee003 confirmed
e003downloade005 confirmed
e004resolves-toe018 confirmed
e004resolves-toe019 confirmed
e005dropse006 confirmed
e006executee007 likely
e007downloade008 confirmed
e007downloade009 confirmed
e009dropse010 confirmed
e010executee015 likely
e015downloade011 confirmed
e015downloade012 confirmed
e011dropse013 confirmed
e012dropse013 confirmed
e013dropse014 confirmed
e014executee016 confirmed
e016connecte017 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel
Seqrite states the campaign starts with a ZIP archive delivered through spear phishing and targeting Afghanistan Ministry of Finance and provincial Mustoufiats.
SHA-256: 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14
e002 file د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk
Seqrite identifies the Pashto malicious LNK file and translates the title as a list of employees introduced to the intellectual and psychological warfare seminar.
SHA-256: 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01
e003 file mshta.exe LOLBIN execution of remote HTA/PHP
Seqrite states the LNK launches C:\Windows\System32\mshta.exe and points it to a remote malicious PHP resource hosted on abimj.edu.af/index.php.
Modeled as staging because it is the execution bridge to attacker-hosted HTA content, not attacker-controlled infrastructure itself.
e004 domain abimj.edu.af
Seqrite describes abimj.edu.af as the delivery domain and says it resolved to 103.132.98.224 and 103.132.98.226.
Seqrite assesses this as delivery staged inside Afghan sovereign government/education infrastructure.
e005 url http://abimj.edu.af/index.php
Seqrite states the LNK command points mshta.exe to a remote malicious PHP resource at hxxp[:]//abimj.edu.af/index.php.
The resource contains heavily obfuscated HTA/JavaScript loader content.
e006 file ugayt.hta initial HTA/JavaScript payload
Seqrite lists ugayt.hta in the IOC table and describes the remote PHP/HTA payload as obfuscated JavaScript with Base64 and .NET deserialization staging.
SHA-256: A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67
e007 file WayBroad.dll Stage-1 .NET loader DLL
Seqrite describes a Stage-1 .NET loader DLL responsible for next-stage payload execution, persistence, and in-memory staging.
WayBroad.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.
SHA-256: 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A
e008 url http://abimj.edu.af/institute/cloudiyaf/document.pdf
Seqrite states the Stage-1 loader downloads and opens the decoy PDF from hxxp[:]//abimj.edu.af/institute/cloudiyaf/document.pdf.
SHA-256 for decoy PDF: DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB
e009 url http://abimj.edu.af/institute/cloudiya/
Seqrite states CopyExeToUsersPublic downloads the encoded next-stage HTA payload from hxxp[:]//abimj.edu.af/institute/cloudiya/.
The downloaded payload is decompressed and decoded into zuidrt.hta.
e010 file zuidrt.hta persistent next-stage HTA payload
Seqrite states the loader reconstructs zuidrt.hta under C:\Users\Public\USOShared-1de48789-1285 and persists it through a Run key value named Edgre.
SHA-256: 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D
e011 url https://abimj.edu.af/institute/10/
Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/10/ for next-stage payload retrieval.
The endpoint is selected dynamically based on victim OS version.
e012 url https://abimj.edu.af/institute/7/
Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/7/ as an alternate payload location for Windows 7 compatibility.
The endpoint is selected dynamically based on victim OS version.
e013 file ayui.vmxx encrypted/compressed next-stage blob
Seqrite states the Stage-2 DLL downloads the encrypted payload and stores it locally as ayui.vmxx.
The file contains Base64-encoded and GZIP-compressed data used to reconstruct shellcode.
e014 file ayhui.vmxx reconstructed shellcode container
Seqrite states the fully reconstructed payload is written locally as ayhui.vmxx before shellcode execution.
This file is an intermediate shellcode container rather than a standalone published IOC hash in the text.
e015 file Aotestpass.dll Stage-2 loader DLL and shellcode bridge
Seqrite describes a Stage-2 .NET loader DLL responsible for retrieving, decoding, decompressing, and executing the next-stage payload entirely in memory.
Aotestpass.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.
SHA-256: 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772
e016 file XenoRAT 1.8.7 final payload
Seqrite identifies XenoRAT as the final payload, an open-source RAT with encrypted TCP C2, surveillance, file management, proxying, and persistence capabilities.
SHA-256: 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14
e017 ip 185.235.137.106
Seqrite states XenoRAT initializes a secure C2 channel using hardcoded IP 185.235.137.106.
Seqrite says the host is on AS59711 HZ Hosting Ltd, a Bulgaria-registered provider with Frankfurt physical presence.
e018 ip 103.132.98.224
Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology.
e019 ip 103.132.98.226
Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology.

ATT&CK annotations

optional complementary mapping
T1566.001Spearphishing Attachment

T1218.005Mshta

T1059.007JavaScript

T1547.001Registry Run Keys / Startup Folder

T1053.005Scheduled Task

T1620Reflective Code Loading

T1071.001Application Layer Protocol: Web Protocols

T1573Encrypted Channel

T1090.002Proxy: External Proxy

T1113Screen Capture

T1056.001Keylogging

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "seqrite.2026.operation-xenofiscal-sidecopy-xenorat",
  "title": "Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2",
  "description": "IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.",
  "actor_id": "SideCopy",
  "observed_at": "2026-05-29T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the campaign starts with a ZIP archive delivered through spear phishing and targeting Afghanistan Ministry of Finance and provincial Mustoufiats.",
        "SHA-256: 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e002",
      "type": "file",
      "value": "د_هغو_کارکوونکو_لېست_چې_د_فکري_او_رواني_جګړې_سیمینار_ته_ورپېژندل_شوي_وو12.pdf.lnk",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite identifies the Pashto malicious LNK file and translates the title as a list of employees introduced to the intellectual and psychological warfare seminar.",
        "SHA-256: 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e003",
      "type": "file",
      "value": "mshta.exe LOLBIN execution of remote HTA/PHP",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the LNK launches C:\\Windows\\System32\\mshta.exe and points it to a remote malicious PHP resource hosted on abimj.edu.af/index.php.",
        "Modeled as staging because it is the execution bridge to attacker-hosted HTA content, not attacker-controlled infrastructure itself."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e004",
      "type": "domain",
      "value": "abimj.edu.af",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes abimj.edu.af as the delivery domain and says it resolved to 103.132.98.224 and 103.132.98.226.",
        "Seqrite assesses this as delivery staged inside Afghan sovereign government/education infrastructure."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "http://abimj.edu.af/index.php",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the LNK command points mshta.exe to a remote malicious PHP resource at hxxp[:]//abimj.edu.af/index.php.",
        "The resource contains heavily obfuscated HTA/JavaScript loader content."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "ugayt.hta initial HTA/JavaScript payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite lists ugayt.hta in the IOC table and describes the remote PHP/HTA payload as obfuscated JavaScript with Base64 and .NET deserialization staging.",
        "SHA-256: A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "WayBroad.dll Stage-1 .NET loader DLL",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes a Stage-1 .NET loader DLL responsible for next-stage payload execution, persistence, and in-memory staging.",
        "WayBroad.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
        "SHA-256: 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
      "x_mapping_confidence": "likely"
    },
    {
      "id": "e008",
      "type": "url",
      "value": "http://abimj.edu.af/institute/cloudiyaf/document.pdf",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-1 loader downloads and opens the decoy PDF from hxxp[:]//abimj.edu.af/institute/cloudiyaf/document.pdf.",
        "SHA-256 for decoy PDF: DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e009",
      "type": "url",
      "value": "http://abimj.edu.af/institute/cloudiya/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states CopyExeToUsersPublic downloads the encoded next-stage HTA payload from hxxp[:]//abimj.edu.af/institute/cloudiya/.",
        "The downloaded payload is decompressed and decoded into zuidrt.hta."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "zuidrt.hta persistent next-stage HTA payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the loader reconstructs zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285 and persists it through a Run key value named Edgre.",
        "SHA-256: 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e011",
      "type": "url",
      "value": "https://abimj.edu.af/institute/10/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/10/ for next-stage payload retrieval.",
        "The endpoint is selected dynamically based on victim OS version."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e012",
      "type": "url",
      "value": "https://abimj.edu.af/institute/7/",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 loader contains hardcoded URL hxxps[:]//abimj.edu.af/institute/7/ as an alternate payload location for Windows 7 compatibility.",
        "The endpoint is selected dynamically based on victim OS version."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "ayui.vmxx encrypted/compressed next-stage blob",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the Stage-2 DLL downloads the encrypted payload and stores it locally as ayui.vmxx.",
        "The file contains Base64-encoded and GZIP-compressed data used to reconstruct shellcode."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "ayhui.vmxx reconstructed shellcode container",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states the fully reconstructed payload is written locally as ayhui.vmxx before shellcode execution.",
        "This file is an intermediate shellcode container rather than a standalone published IOC hash in the text."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e015",
      "type": "file",
      "value": "Aotestpass.dll Stage-2 loader DLL and shellcode bridge",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite describes a Stage-2 .NET loader DLL responsible for retrieving, decoding, decompressing, and executing the next-stage payload entirely in memory.",
        "Aotestpass.dll is published in the IOC table. The stage-name mapping is modeled with likely confidence because the text names the stage function and the IOC table gives filename/hash.",
        "SHA-256: 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/",
      "x_mapping_confidence": "likely"
    },
    {
      "id": "e016",
      "type": "file",
      "value": "XenoRAT 1.8.7 final payload",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite identifies XenoRAT as the final payload, an open-source RAT with encrypted TCP C2, surveillance, file management, proxying, and persistence capabilities.",
        "SHA-256: 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e017",
      "type": "ip",
      "value": "185.235.137.106",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states XenoRAT initializes a secure C2 channel using hardcoded IP 185.235.137.106.",
        "Seqrite says the host is on AS59711 HZ Hosting Ltd, a Bulgaria-registered provider with Frankfurt physical presence."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e018",
      "type": "ip",
      "value": "103.132.98.224",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    },
    {
      "id": "e019",
      "type": "ip",
      "value": "103.132.98.226",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation XENOFISCAL, 2026-05-29",
      "evidence": [
        "Seqrite states delivery domain abimj.edu.af resolved to 103.132.98.224 and 103.132.98.226 within 103.132.98.0/23, attributed to AS58469 Afghan Ministry of Communication and Information Technology."
      ],
      "x_reference_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "likely",
      "needs_review": false,
      "review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
    },
    {
      "entity_id": "e008",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "staging",
      "techniques": [
        "IIM-T004",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "OS-version based endpoint selection is a client/request-context gate; modeled as likely request/client gating."
    },
    {
      "entity_id": "e012",
      "role": "staging",
      "techniques": [
        "IIM-T004",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "Alternate Windows 7 endpoint; modeled as likely request/client gating."
    },
    {
      "entity_id": "e013",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "payload",
      "techniques": [],
      "role_confidence": "likely",
      "needs_review": false,
      "review_notes": "Filename-to-stage mapping is inferred from Seqrite text plus IOC table."
    },
    {
      "entity_id": "e016",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T003"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e018",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e019",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states the ZIP contains the Pashto malicious LNK."
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "execute",
      "sequence_order": 2,
      "confidence": "confirmed",
      "x_evidence": "The LNK launches mshta.exe from C:\\Windows\\System32."
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "download",
      "sequence_order": 3,
      "confidence": "confirmed",
      "x_evidence": "mshta.exe points to the remote malicious PHP resource at abimj.edu.af/index.php."
    },
    {
      "from": "e004",
      "to": "e018",
      "type": "resolves-to",
      "sequence_order": 4,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.224."
    },
    {
      "from": "e004",
      "to": "e019",
      "type": "resolves-to",
      "sequence_order": 5,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states abimj.edu.af resolved to 103.132.98.226."
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "drops",
      "sequence_order": 6,
      "confidence": "confirmed",
      "x_evidence": "The remote PHP/HTA resource contains the obfuscated initial HTA/JavaScript payload; ugayt.hta is listed as an IOC."
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "execute",
      "sequence_order": 7,
      "confidence": "likely",
      "x_evidence": "Seqrite describes the HTA/JavaScript as reconstructing and executing a .NET loader DLL in memory; filename mapping to WayBroad.dll is inferred from the IOC table."
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "download",
      "sequence_order": 8,
      "confidence": "confirmed",
      "x_evidence": "Stage-1 loader downloads decoy PDF from /institute/cloudiyaf/document.pdf."
    },
    {
      "from": "e007",
      "to": "e009",
      "type": "download",
      "sequence_order": 9,
      "confidence": "confirmed",
      "x_evidence": "Stage-1 loader downloads the encoded HTA payload from /institute/cloudiya/."
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "drops",
      "sequence_order": 10,
      "confidence": "confirmed",
      "x_evidence": "The downloaded payload is decoded/decompressed and reconstructed as zuidrt.hta under C:\\Users\\Public\\USOShared-1de48789-1285."
    },
    {
      "from": "e010",
      "to": "e015",
      "type": "execute",
      "sequence_order": 11,
      "confidence": "likely",
      "x_evidence": "zuidrt.hta reconstructs the embedded Stage-2 loader DLL in memory; filename mapping to Aotestpass.dll is inferred from the IOC table."
    },
    {
      "from": "e015",
      "to": "e011",
      "type": "download",
      "sequence_order": 12,
      "confidence": "confirmed",
      "x_evidence": "Stage-2 loader contains hardcoded URL /institute/10/ for next-stage payload retrieval."
    },
    {
      "from": "e015",
      "to": "e012",
      "type": "download",
      "sequence_order": 13,
      "confidence": "confirmed",
      "x_evidence": "Stage-2 loader contains hardcoded alternate URL /institute/7/ for Windows 7 compatibility."
    },
    {
      "from": "e011",
      "to": "e013",
      "type": "drops",
      "sequence_order": 14,
      "confidence": "confirmed",
      "x_evidence": "The downloaded payload is stored locally as ayui.vmxx."
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 15,
      "confidence": "confirmed",
      "x_evidence": "The alternate endpoint also serves the payload stored as ayui.vmxx."
    },
    {
      "from": "e013",
      "to": "e014",
      "type": "drops",
      "sequence_order": 16,
      "confidence": "confirmed",
      "x_evidence": "ayui.vmxx is decoded/decompressed and written as ayhui.vmxx prior to shellcode execution."
    },
    {
      "from": "e014",
      "to": "e016",
      "type": "execute",
      "sequence_order": 17,
      "confidence": "confirmed",
      "x_evidence": "The reconstructed shellcode initializes CLR and loads the final XenoRAT payload in memory."
    },
    {
      "from": "e016",
      "to": "e017",
      "type": "connect",
      "sequence_order": 18,
      "confidence": "confirmed",
      "x_evidence": "Seqrite states XenoRAT uses hardcoded IP 185.235.137.106 for secure C2 communication."
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Spearphishing Attachment",
      "tactic": "Initial Access"
    },
    {
      "technique_id": "T1218.005",
      "name": "Mshta",
      "tactic": "Defense Evasion"
    },
    {
      "technique_id": "T1059.007",
      "name": "JavaScript",
      "tactic": "Execution"
    },
    {
      "technique_id": "T1547.001",
      "name": "Registry Run Keys / Startup Folder",
      "tactic": "Persistence"
    },
    {
      "technique_id": "T1053.005",
      "name": "Scheduled Task",
      "tactic": "Persistence"
    },
    {
      "technique_id": "T1620",
      "name": "Reflective Code Loading",
      "tactic": "Defense Evasion"
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1573",
      "name": "Encrypted Channel",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1090.002",
      "name": "Proxy: External Proxy",
      "tactic": "Command and Control"
    },
    {
      "technique_id": "T1113",
      "name": "Screen Capture",
      "tactic": "Collection"
    },
    {
      "technique_id": "T1056.001",
      "name": "Keylogging",
      "tactic": "Collection"
    }
  ],
  "x_source": "Seqrite Labs",
  "x_source_urls": [
    "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
  ],
  "x_resource_links_verified": true,
  "x_iocs": {
    "sha256": [
      "194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14",
      "3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01",
      "DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB",
      "A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67",
      "5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45",
      "99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D",
      "8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A",
      "0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772",
      "9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14"
    ],
    "domains": [
      "abimj.edu.af"
    ],
    "ips": [
      "103.132.98.224",
      "103.132.98.226",
      "185.235.137.106"
    ],
    "urls": [
      "http://abimj.edu.af/index.php",
      "http://abimj.edu.af/institute/cloudiyaf/document.pdf",
      "http://abimj.edu.af/institute/cloudiya/",
      "https://abimj.edu.af/institute/10/",
      "https://abimj.edu.af/institute/7/"
    ]
  },
  "x_limitations": [
    "Seqrite publishes the delivery domain, IPs, payload paths, hashes, and XenoRAT C2 IP, but does not publish the original sender, mail headers, or actor-registered throwaway domain names mentioned as clusters on 185.235.137.106.",
    "WayBroad.dll and Aotestpass.dll are mapped to Stage-1/Stage-2 loader roles with likely confidence based on the narrative plus IOC table rather than an explicit filename-to-stage sentence.",
    "Endpoint behavior such as Registry Run persistence, AMSI bypass, CLR initialization, screen capture, keylogging, and self-deletion is captured via ATT&CK/evidence, not IIM techniques."
  ],
  "x_selection_reason": "Strong IIM fit: spearphishing ZIP, compromised Afghan education/government-adjacent delivery infrastructure, multi-stage HTA/.NET payload staging, OS-aware payload endpoint selection, and separated European C2 hosting.",
  "x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting.",
  "x_source_title": "Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan",
  "x_source_url": "https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"
}