Cybersecurity researchers have reported the identification of a cyberattack targeting the Taliban’s Ministry of Finance, allegedly carried out by a hacker group believed to be linked to Pakistan. The cyber group, known as “SideCopy,” has been using malware, remote access tools, and phishing emails containing compressed files in Pashto to target institutions affiliated with the Taliban.
According to the report, the operation begins with the distribution of deceptive emails that include compressed attachments. Inside these files is a malicious shortcut file with a Pashto-language name. The use of Pashto in these files suggests that the attackers are familiar with the administrative structure and operational environment of the targeted institutions.
Reports further indicate that the targets of this attack are not limited to the Ministry of Finance and also include provincial financial and revenue departments, Pashto-speaking government officials, and local government employees.
The malware is capable of performing keylogging, capturing screenshots, accessing webcams and microphones, stealing data, and establishing covert communication with command-and-control servers.
It is also designed to persist within the system by mimicking Microsoft Edge through Windows Registry modifications, making it more difficult to remove.
Cybersecurity experts associate the “SideCopy” group with a larger threat cluster known as “Transparent Tribe” or “APT36,” which has previously been involved in cyberattacks against targets in South Asia, particularly India.
Separate reports also suggest that a similar campaign has recently been detected targeting Indian military infrastructure.
In these types of attacks, infected files are typically distributed as ordinary documents or via messaging platforms such as WhatsApp. Once executed, the malware installs itself on the system and connects to the attacker’s command server.
Experts note that in such scenarios, attackers can gain full user-level access to the system, enabling them to view and steal files, execute programs, and comprehensively monitor user activity.
Writer:Salima Aryaei
