SideWinder Hacker Group Targets Users with Fake Outlook/Zimbra Portals to Steal Login Credentials


The notorious SideWinder APT group has intensified its credential harvesting operations across South Asia, deploying sophisticated phishing campaigns that target government, defense, and critical infrastructure organizations through fake webmail portals.

The campaign represents a significant escalation from the group’s August 2024 activities, which initially focused on 14 malicious webpages hosted on Netlify and pages.dev platforms.

The threat actors have demonstrated remarkable persistence, maintaining active phishing operations for over eight months while continuously adapting their tactics to evade detection.

Security researchers at Hunt.io have uncovered an extensive phishing infrastructure operated by SideWinder, with over 100 domains identified targeting government entities across Pakistan, Nepal, Bangladesh, Sri Lanka, and Myanmar.

Security researcher “Demon” has been instrumental in tracking the group’s activities, identifying attacks against high-value targets including the Pakistan Government, Pakistan Navy, and Sri Lanka Navy.

Credential Theft Operations

SideWinder current campaign employs a multi-faceted approach to credential harvesting, primarily focusing on fake Outlook Web App and Zimbra webmail login pages.

The group has successfully compromised infrastructure across multiple free hosting platforms, including Netlify, Cloudflare Pages, and Back4App, to host their malicious portals.

In Bangladesh, the group specifically targets the Directorate General of Defense Purchases (DGDP) through fake “secured file” portals that mimic official defense procurement systems.

Fake DGDP document at “httpx://drive-dgdp-gov-bd-files[.]netlify[.]app/”used by SideWinder to deliver a phishing page.

These sophisticated lures trick officials into believing they’re accessing legitimate defense documents while harvesting their login credentials.

Nepal has emerged as a primary target, with Hunt.io identifying 17 active phishing portals between May and September 2024.

Fake Outlook webmail login page uncovered by Hunt.io, targeting Nepal's Ministry of Finance and hosted on Netlify.
Fake Outlook webmail login page uncovered by Hunt.io, targeting Nepal’s Ministry of Finance and hosted on Netlify.

Approximately 70% of these operations spoof centralized government webmail systems, while the remainder utilize politically-themed documents as bait.

The group has shown particular interest in exploiting political tensions, using documents related to the Prime Minister’s China visit and national AI policy drafts.

The investigation reveals extensive infrastructure overlap between different country-specific campaigns. Myanmar’s Central Bank has been targeted through fake Zimbra portals, with stolen credentials funneled to the same collection servers used in operations against other regional targets.

Phishing infrastructure mimicking Myanmar's Central Bank (CBM) Zimbra webmail.
Phishing infrastructure mimicking Myanmar’s Central Bank (CBM) Zimbra webmail.

This shared infrastructure approach demonstrates the group’s operational efficiency and resource optimization.

A HuntSQL query is designed to extract all URLs containing .govmm domains after January 1, 2025. This pivot revealed 13 unique URLs tied to the govmm.org infrastructure.

Pakistan faces particularly intensive targeting, with SideWinder impersonating critical organizations including the Space & Upper Atmosphere Research Commission (SUPARCO), Pakistan Airports Authority, and National Telecom Corporation.

The group employs sophisticated JavaScript-based phishing kits that encode victim email addresses in Base64 format for tracking and session management.

Maritime Sector Focus

Beyond traditional phishing, SideWinder maintains open directories hosting malicious executables and decoy files with a clear maritime sector focus.

Researchers have identified exposed command-and-control endpoints at themegaprovider.ddns.net and gwadarport.ddns.net, hosting over 40 distinct malware samples targeting Pakistan and Sri Lankan maritime operations.

The third IP address, 46.183.184.245, plays a vital role in attribution. In addition to govmm[.]org, it is also linked with two more domains: govnp[.]org and andc[.]govaf[.]org.

Infrastructure overlap: IP 46.183.184.245 linked with govmm[.]org, govnp[.]org.
Infrastructure overlap: IP 46.183.184.245 linked with govmm[.]org, govnp[.]org.

The group’s technical sophistication extends to using hardcoded CSRF tokens for session tracking and implementing multi-stage redirect mechanisms to obfuscate their phishing flows.

The campaign’s scope extends beyond South Asia, with spillover attacks identified against Singapore’s Ministry of Manpower, indicating potential expansion of SideWinder’s operational theater.

The group’s ability to maintain persistent access while rapidly cycling through domains presents significant challenges for traditional security measures.

Security experts recommend proactive monitoring of free hosting platforms, enhanced email filtering, and regional cybersecurity cooperation to counter this persistent threat effectively.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.