Cybersecurity researchers have identified a cyberattack campaign targeting Afghanistan’s Taliban-controlled institutions, including the Finance Ministry and several government offices, in an operation believed to be linked to the hacking group known as SideCopy.
According to security findings, the attackers used phishing emails containing malicious compressed files and documents written in Pashto to gain access to systems used by government employees. Researchers say the use of Pashto suggests the operators possessed a detailed understanding of the intended targets and their administrative environment.
The campaign reportedly extended beyond the Taliban’s Finance Ministry and also targeted provincial financial departments, revenue offices, Pashto-speaking government officials, and employees working in local administrative institutions.
Security experts say the malware deployed in the operation was designed to provide extensive surveillance and intelligence-gathering capabilities. These reportedly included keystroke logging, screen capture functions, webcam and microphone access, data theft, and covert communication with remote command-and-control servers operated by the attackers.
Researchers found that the malware attempted to disguise itself as Microsoft Edge in order to avoid detection. The malicious software also used modifications to the Windows Registry to establish long-term persistence on compromised devices, allowing continued access even after system reboots.
The report attributes the campaign to SideCopy, a cyber espionage group widely believed to be associated with the larger Transparent Tribe network, also known as APT36. The group has previously been linked by cybersecurity firms to espionage operations targeting entities across South Asia, particularly in India.
The findings emerged alongside reports of similar cyber operations directed at Indian military infrastructure. In those incidents, attackers allegedly relied on infected files distributed through email and messaging platforms such as WhatsApp to compromise targeted systems.
Cybersecurity specialists note that attacks of this nature depend heavily on social engineering. Victims unknowingly activate malicious software after opening infected documents, allowing attackers to establish remote access and gain control over the compromised device.
NIMRUZ ANGLE
The operation demonstrates a growing shift in regional intelligence competition toward cyberspace. Rather than relying solely on traditional espionage methods, threat actors are increasingly targeting government institutions through digital infiltration, exploiting language, administrative structures, and human behavior to gain access to sensitive information.
FINAL ANALYSIS
The reported campaign highlights the rising importance of cybersecurity across government institutions in South Asia. If the attackers successfully penetrated targeted networks, the operation could have provided access to financial records, administrative communications, and sensitive internal documents. As geopolitical rivalries increasingly expand into cyberspace, governments with limited cyber defenses may face growing risks from espionage campaigns that are difficult to detect and even harder to attribute with certainty. The incident underscores how cyber warfare and intelligence gathering are becoming central elements of modern regional security competition.
