SideWinder APT Targets South Asian Governments in Sophisticated Phishing Campaign
The advanced persistent threat (APT) group SideWinder has launched a highly targeted phishing campaign against government and defense organizations in South Asia, including the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs. Active since at least February 2026, the operation employs a fake Chrome PDF viewer and a pixel-perfect clone of the Zimbra email login portal to harvest credentials.
Attack Mechanics
The campaign begins with spearphishing links sent to targeted individuals. Victims are directed to a fake PDF viewer (using PDF.js v2.16.105) displaying a blurred diplomatic cable a real stolen document from Pakistan’s government related to the 152nd IPU Assembly in Istanbul. After five seconds, the page automatically redirects to a Zimbra login clone, which mirrors the legitimate Bangladesh Navy webmail portal (mail.navy.mil.bd).
The phishing kit, internally named Z2FA_LTS ("Zimbra 2FA Long-Term Support"), is a server-rendered Express.js application hosted on Cloudflare Workers. It employs several deceptive tactics:
- Reverse-proxied assets from the real Zimbra server to enhance authenticity.
- A forced session expiration error to prompt re-login.
- A double-submission trick, where the victim’s username is pre-filled after the first login attempt, tricking them into re-entering their password.
Operational Security Failure
During analysis, researchers discovered a critical OPSEC lapse: a 500 error exposed a full Express.js stack trace, revealing the developer’s Linux username (moincox) and the kit’s internal name (Z2FA_LTS). The handle moincox has no public footprint on GitHub, npm, or other code repositories.
Infrastructure & Attribution
Researchers, including @volrant136, @Huntio, and @malwrhunterteam, mapped seven distinct phishing Workers across two Cloudflare accounts (girlfriendparty42.workers.dev and malik-jaani786.workers.dev) over three months. Targets included:
- Bangladesh Navy (mail.navy.mil.bd)
- Pakistan’s Ministry of Foreign Affairs
- Nayatel (ISP)
- Bangladesh Computer Council
Impact & Response
The campaign highlights SideWinder’s evolving tactics, including session management with rotating CSRF tokens and real-time asset mirroring to evade detection. Affected organizations have been urged to rotate credentials and report the infrastructure to Cloudflare Trust and Safety for takedown. The use of stolen diplomatic documents as lures underscores the group’s focus on high-value targets in the region.
Source: https://cybersecuritynews.com/sidewinder-uses-fake-chrome-pdf-viewer-and-zimbra-clone/
Nayatel cybersecurity rating report: https://www.rankiteo.com/company/nayatel
"id": "NAY1776759980",
"linkid": "nayatel",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Military',
'location': 'Bangladesh',
'name': 'Bangladesh Navy',
'type': 'Government/Defense'},
{'industry': 'Diplomacy',
'location': 'Pakistan',
'name': 'Pakistan’s Ministry of Foreign Affairs',
'type': 'Government'},
{'industry': 'Telecommunications',
'location': 'Pakistan',
'name': 'Nayatel',
'type': 'ISP'},
{'industry': 'Technology/Government',
'location': 'Bangladesh',
'name': 'Bangladesh Computer Council',
'type': 'Government'}],
'attack_vector': 'Spearphishing links, fake PDF viewer, cloned login portal',
'data_breach': {'file_types_exposed': 'PDF (diplomatic cables)',
'personally_identifiable_information': 'Potentially '
'(credentials)',
'sensitivity_of_data': 'High (government and military '
'communications)',
'type_of_data_compromised': 'Credentials, diplomatic '
'documents'},
'date_detected': '2026-02-01',
'description': 'The advanced persistent threat (APT) group SideWinder has '
'launched a highly targeted phishing campaign against '
'government and defense organizations in South Asia, including '
'the Bangladesh Navy and Pakistan’s Ministry of Foreign '
'Affairs. The operation employs a fake Chrome PDF viewer and a '
'pixel-perfect clone of the Zimbra email login portal to '
'harvest credentials.',
'impact': {'brand_reputation_impact': 'High (government and defense '
'organizations)',
'data_compromised': 'Credentials, diplomatic cables',
'identity_theft_risk': 'High (credential theft)',
'operational_impact': 'Potential unauthorized access to sensitive '
'communications',
'systems_affected': 'Email portals (Zimbra), government and '
'defense systems'},
'initial_access_broker': {'entry_point': 'Spearphishing links',
'high_value_targets': 'Government and defense '
'organizations'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Evolving tactics of APT groups, including session '
'management with rotating CSRF tokens and real-time asset '
'mirroring to evade detection. Importance of OPSEC in '
'phishing kit development.',
'motivation': 'Espionage, credential theft',
'post_incident_analysis': {'corrective_actions': 'Credential rotation, '
'reporting phishing '
'infrastructure, '
'implementing MFA, and '
'enhancing detection for '
'cloned login portals',
'root_causes': 'OPSEC failure (exposed Express.js '
'stack trace), use of stolen '
'diplomatic documents as lures, '
'lack of multi-factor '
'authentication on targeted '
'portals'},
'recommendations': 'Rotate credentials, report phishing infrastructure to '
'hosting providers, implement multi-factor authentication, '
'and enhance monitoring for cloned login portals.',
'references': [{'source': 'Researchers (@volrant136, @Huntio, '
'@malwrhunterteam)'}],
'response': {'containment_measures': 'Credential rotation, reporting '
'infrastructure to Cloudflare Trust and '
'Safety'},
'threat_actor': 'SideWinder APT',
'title': 'SideWinder APT Targets South Asian Governments in Sophisticated '
'Phishing Campaign',
'type': 'Phishing',
'vulnerability_exploited': 'Credential harvesting via fake Zimbra login '
'portal'}