SideWinder APT Targets South Asian Governments with Sophisticated Phishing Campaign
The advanced persistent threat (APT) group SideWinder is conducting an active credential-harvesting campaign targeting government entities in South Asia, including the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs. The operation leverages a fake Chrome PDF viewer and a pixel-perfect Zimbra webmail clone hosted on Cloudflare Workers, designed to steal login credentials from high-value victims.
Attack Mechanics
The campaign was uncovered after researchers identified a Cloudflare Workers URL harvesting credentials for the Bangladesh Navy’s Zimbra webmail portal (mail.navy.mil.bd). The phishing kit, internally labeled "Z2FA_LTS", mimics the legitimate Zimbra interface with near-perfect accuracy, including genuine CSS assets pulled from the real server.
The attack begins with a fake PDF viewer displaying a blurred, official-looking document later revealed to be a stolen Pakistani diplomatic memo detailing hotel reservations for an IPU assembly in Istanbul. The document’s metadata confirms its authenticity, including Turkey-based creation timestamps and internal government reference numbers. Victims are tricked into clicking "Reload PDF" or waiting for an automatic redirect, which leads to the cloned Zimbra login page.
Once credentials are entered, the kit pre-fills the username field to encourage password retries, while an error banner remains visible to maintain the illusion of legitimacy. The backend, built on Express.js, processes stolen credentials and includes an "admin" interface though no real authentication layer was exposed.
Infrastructure & Targeting
Researchers traced at least seven Cloudflare Workers tied to the same toolkit over a three-month period, targeting:
- Bangladesh Navy (Zimbra webmail)
- Pakistan’s Ministry of Foreign Affairs
- Regional telecoms
- iCloud users
The campaign uses modular infrastructure, with identical phishing components deployed across multiple Cloudflare Workers accounts ("girlfriendparty42" and "malik-jaani786") and other platform-as-a-service (PaaS) providers. The group’s long-term, two-factor-aware framework suggests a reusable phishing toolkit for sustained operations.
SideWinder’s Tactics & Impact
SideWinder, known for recycling stolen documents as lures, has a history of targeting South Asian military and government entities. By compromising webmail credentials, the group gains access to sensitive communications and potential lateral movement into internal networks.
The campaign highlights the group’s ability to abuse low-cost cloud platforms (like Cloudflare Workers) to blend malicious traffic with legitimate activity, making detection harder. Defenders are advised to treat Zimbra/Outlook login pages on generic cloud domains with heightened suspicion, particularly those mimicking government portals.
Source: https://gbhackers.com/fake-chrome-pdf-viewer/
Bangladesh Navy cybersecurity rating report: https://www.rankiteo.com/company/navy-bangladesh
"id": "NAV1776752761",
"linkid": "navy-bangladesh",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Defense',
'location': 'Bangladesh',
'name': 'Bangladesh Navy',
'type': 'Government (Military)'},
{'industry': 'Government',
'location': 'Pakistan',
'name': 'Pakistan’s Ministry of Foreign Affairs',
'type': 'Government (Diplomatic)'},
{'industry': 'Telecom',
'location': 'South Asia',
'name': 'Regional telecoms',
'type': 'Telecommunications'},
{'location': 'South Asia',
'name': 'iCloud users',
'type': 'Individuals'}],
'attack_vector': 'Phishing (Fake PDF viewer, cloned Zimbra webmail)',
'data_breach': {'personally_identifiable_information': 'Potential '
'(credentials, '
'diplomatic memos)',
'sensitivity_of_data': 'High (government/military '
'communications)',
'type_of_data_compromised': 'Login credentials, government '
'communications'},
'description': 'The advanced persistent threat (APT) group SideWinder is '
'conducting an active credential-harvesting campaign targeting '
'government entities in South Asia, including the Bangladesh '
'Navy and Pakistan’s Ministry of Foreign Affairs. The '
'operation leverages a fake Chrome PDF viewer and a '
'pixel-perfect Zimbra webmail clone hosted on Cloudflare '
'Workers, designed to steal login credentials from high-value '
'victims.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'targeted government entities',
'data_compromised': 'Government communications, login credentials',
'identity_theft_risk': 'High (credential theft)',
'operational_impact': 'Potential unauthorized access to sensitive '
'government communications',
'systems_affected': 'Zimbra webmail portals, iCloud accounts'},
'initial_access_broker': {'entry_point': 'Phishing (fake PDF viewer, cloned '
'Zimbra webmail)',
'high_value_targets': 'Government/military '
'entities, diplomatic staff'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Abuse of low-cost cloud platforms (e.g., Cloudflare '
'Workers) to blend malicious traffic with legitimate '
'activity makes detection harder. Defenders should treat '
'Zimbra/Outlook login pages on generic cloud domains with '
'heightened suspicion.',
'motivation': 'Espionage, Credential Theft, Lateral Movement',
'post_incident_analysis': {'corrective_actions': 'Enforce MFA, monitor '
'cloud-hosted phishing kits, '
'user training on phishing '
'awareness',
'root_causes': 'Social engineering, lack of MFA, '
'abuse of cloud platforms for '
'phishing infrastructure'},
'recommendations': 'Implement multi-factor authentication (MFA) for webmail '
'portals, monitor for phishing kits hosted on cloud '
'platforms, and educate users on recognizing cloned login '
'pages.',
'references': [{'source': 'Cybersecurity Research Report'}],
'response': {'enhanced_monitoring': 'Recommended (treat Zimbra/Outlook login '
'pages on generic cloud domains with '
'suspicion)'},
'threat_actor': 'SideWinder APT',
'title': 'SideWinder APT Targets South Asian Governments with Sophisticated '
'Phishing Campaign',
'type': 'Phishing, Credential Harvesting',
'vulnerability_exploited': 'Social Engineering, Lack of Multi-Factor '
'Authentication (MFA) awareness'}