Sidewinder, a well-known advanced persistent threat (APT) group, has adapted its tactics to exploit the ongoing protests in Nepal, deploying a coordinated campaign of mobile and Windows malware alongside credential phishing.
By masquerading as respected national institutions and figures, the group seeks to harvest sensitive data from users tracking the nation’s political turmoil.
The protests, ignited by a government ban on social media and accusations of corruption, have led to dozens of fatalities and the ousting of key leadership, creating fertile ground for social engineering exploits.
In one campaign strand, Sidewinder operators crafted a phishing lure impersonating the Nepalese Emergency Service.
Victims receive messages purportedly from emergency responders, complete with a convincing email template and a spoofed domain, prompting users to enter their credentials on a fraudulent portal.
Once credentials are submitted, attackers gain access to personal and corporate accounts, which are then leveraged for further compromise.
Concurrently, Sidewinder rolled out an Android malware strain by exploiting the persona of General Ashok Sigdel, the acting head of Nepal as of September 2025.
Users seeking updates or statements from the general are instead directed to install an APK named Gen_Ashok_Sigdel_Live.apk.
The decoy app displays legitimate-looking news feeds and live video streams, masking its nefarious behavior.
Upon granting requested permissions, the malware begins silently harvesting documents, images, and other files from the device, exfiltrating them to a command-and-control endpoint at playservicess.com.
Reverse-engineering the APK reveals an IDA-style view of the malware’s code, illustrating routines for file enumeration and encrypted data transfer.
Windows Malware and Parallel Android Samples
Sidewinder Windows-focused component employs a dropper named EmergencyApp.exe, which mimics an official Nepalese emergency application.
When executed, it installs a backdoor that scans for high-value data in user directories and system configurations.
In parallel, another Android sample, Emergency_Help.apk, functions similarly to Gen_Ashok_Sigdel_Live.apk, broadening the group’s reach across multiple mobile user segments.
Victims of these payloads often first encounter a fake “Emergency Helpline” website hosting links to both the Android APKs and the Windows EXE.
Network captures from infected environments reveal signature boundaries marked “—-qwerty” used in multi-part HTTP exfiltration posts. These forensic artifacts can be invaluable for incident responders seeking to disrupt ongoing data theft.
Hunting Indicators
Defenders investigating potential Sidewinder infections should note several key artifacts. For mobile compromises, investigators may find application installation logs referencing “Gen_Ashok_Sigdel_Live.apk” or “Emergency_Help.apk.” On Windows hosts, Portable Database (PDB) paths such as:
textC:UsersasdfDesktop9x64ReleaseConsoleApplication1.pdb
can point to development leftovers embedded within EmergencyApp.exe. Additionally, webserver paths like /ghijkl/ghijkl/index.php serve as staging points for exfiltrated files.
Network defenders should configure alerts for HTTP traffic containing “boundary=—-qwerty” and monitor DNS requests to playservicess.com.
Organizations with personnel monitoring Nepal’s political situation must raise awareness around targeted phishing lures and enforce strict verification processes before installing applications.
Implementing mobile device management (MDM) solutions to restrict unknown APK installations and employing endpoint detection and response (EDR) tools on Windows assets can significantly reduce risk.
Regular threat intelligence updates and user education campaigns about emerging Sidewinder tactics will bolster resilience against this opportunistic APT.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
