Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/Threats/SideWinder Hackers Target Government Webmail With Fake Chrome PDF and Zimbra Login Pages
Threats

SideWinder Hackers Target Government Webmail With Fake Chrome PDF and Zimbra Login Pages

Key Takeaways The advanced persistent threat (APT) group SideWinder is conducting a sophisticated spearphishing campaign targeting government entities in South Asia. The attack chain leverages a...

Sarah simpson
Sarah simpson
April 21, 2026 4 Min Read
35 0

Key Takeaways

  • The advanced persistent threat (APT) group SideWinder is conducting a sophisticated spearphishing campaign targeting government entities in South Asia.
  • The attack chain leverages a highly convincing fake Chrome PDF viewer and a pixel-perfect replica of the Zimbra webmail login page to steal credentials.
  • Organizations affected include the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and other defense and government bodies.
  • An operational security error by the attackers exposed internal project details, including the phishing kit’s name “Z2FA_LTS” and a developer username “moincox.”

A persistent threat actor, identified as the SideWinder APT group, has launched an elaborate phishing operation aimed at government organizations across South Asia. The campaign employs highly deceptive tactics, including a counterfeit Chrome PDF viewer and an exact replica of the Zimbra webmail login interface, to compromise employee credentials. This extensive effort, detailed in a report by Breakglass Intelligence, has been ongoing since at least February 2026.

Table Of Content

  • Key Takeaways
  • The Phishing Chain: From Fake PDF to Credential Harvest
  • Operational Security Blunder Exposes Attacker Details
  • How the Infection Mechanism Works
  • What You Should Do

Organizations targeted include the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and various other defense and governmental entities throughout the region. The campaign is characterized by its meticulous design and strategic use of legitimate-looking interfaces to deceive victims.

The Phishing Chain: From Fake PDF to Credential Harvest

The attack initiates with a spearphishing email containing a malicious link. Upon clicking, victims are directed to a webpage crafted to perfectly mimic Google Chrome’s integrated PDF viewer. This sophisticated phishing kit, internally designated Z2FA_LTS, utilizes PDF.js version 2.16.105 to render a convincing interface, complete with functional-looking toolbar controls for actions like zooming, printing, and navigation.

The displayed document is a genuine, albeit blurred, Pakistani government diplomatic cable concerning the 152nd IPU Assembly in Istanbul. The intentional blurring prevents victims from reading the content, serving purely as a lure. After a brief five-second interval, the page automatically redirects the user to the subsequent phase of the attack.

Breakglass Intelligence analysts first identified the phishing kit after researcher @volrant136 brought attention to a Cloudflare Workers URL hosting a Zimbra credential harvester. This particular instance was targeting the Bangladesh Navy’s webmail portal, mail.navy.mil.bd.

Further analysis using URLScan revealed seven distinct phishing Workers deployed across two Cloudflare accounts over a three-month period. These Workers targeted a range of entities, including the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, iCloud users, Nayatel, and the Bangladesh Computer Council. Multiple independent researchers, including @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam, have corroborated the attribution of these activities to the SideWinder APT group.

Operational Security Blunder Exposes Attacker Details

During the investigation, a significant operational security misstep by the kit’s developer came to light. When analysts sent a POST request to the phishing server without the expected query parameter, the system returned a 500 error, inadvertently exposing a full Express.js stack trace.

This leaked path, “/home/moincox/Z2FA_LTS/app.js,” provided critical insights, revealing the developer’s Linux username as “moincox” and the internal project name “Z2FA_LTS.” The project name, an acronym for “Zimbra 2FA Long-Term Support,” suggests the developer maintains multiple versions of this phishing kit. A search for the “moincox” handle on major code hosting platforms like GitHub and npm yielded no results, indicating a potentially private or less public development environment.

How the Infection Mechanism Works

The Z2FA_LTS phishing kit, built as a server-rendered Express.js application and hosted on Cloudflare Workers, orchestrates a highly convincing infection chain.

Following the initial blurred PDF display, victims are redirected to a simulated Zimbra loading screen. This page is designed to appear authentic by pulling real CSS stylesheets directly from the legitimate Bangladesh Navy mail server, making it visually indistinguishable from the genuine portal. The victim is then directed to a cloned Zimbra Harmony skin login page. All static assets, including favicons and stylesheets, are reverse-proxied from the real server through the phishing Worker’s “/proxy/” path, further enhancing the illusion of legitimacy.

The credential harvesting process is engineered to maximize data capture. The page injects two key behaviors:

  1. It forces a persistent error message stating, “Your session has expired. Please login again to continue,” pressuring the victim to re-enter their credentials.
  2. After the victim submits their initial credentials, the server re-renders the login page with the username pre-filled. This tactic makes the victim believe their first login attempt failed, prompting them to re-enter their password, thereby ensuring the collection of both username and password.

This double-submission strategy significantly increases the likelihood of successfully harvesting credentials. Additionally, each page load generates a unique rotating CSRF token using express-session, confirming that the kit employs robust server-side session management, adding another layer of sophistication to the attack.

What You Should Do

  • Bangladesh Navy: Immediately rotate all user credentials for mail.navy.mil.bd.
  • BGD e-GOV CIRT: Notify [email protected] about the ongoing credential harvesting operation.
  • Pakistan’s NTISB: Alert regarding the use of leaked diplomatic communications as phishing lures.
  • Cloudflare Trust and Safety: Report the phishing Worker at twilight-violet-55a5.malik-jaani786.workers.dev.
  • Network Defenders: Block all subdomains under malik-jaani786.workers.dev.
  • Proactive Monitoring: Continuously monitor URLScan for new Cloudflare Workers subdomains associated with this account or similar attack patterns (Express.js + Zimbra clone), as the threat actor has demonstrated an ability to rotate accounts (e.g., from girlfriendparty42.workers.dev to malik-jaani786.workers.dev).
  • User Education: Reinforce training for all employees on identifying sophisticated phishing attempts, especially those involving fake PDF viewers and login pages, and emphasize verifying URLs before entering credentials.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Windows Snipping Tool Bug Leaks NTLM Hashes, PoC Exploit Released

Next Post

Critical Prompt Injection Vulnerability Affects AI Code Assistants via GitHub Comments

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us