SideWinder Hackers Target Government Webmail With Fake Chrome PDF and Zimbra Login Pages
Key Takeaways The advanced persistent threat (APT) group SideWinder is conducting a sophisticated spearphishing campaign targeting government entities in South Asia. The attack chain leverages a...
Key Takeaways
- The advanced persistent threat (APT) group SideWinder is conducting a sophisticated spearphishing campaign targeting government entities in South Asia.
- The attack chain leverages a highly convincing fake Chrome PDF viewer and a pixel-perfect replica of the Zimbra webmail login page to steal credentials.
- Organizations affected include the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and other defense and government bodies.
- An operational security error by the attackers exposed internal project details, including the phishing kit’s name “Z2FA_LTS” and a developer username “moincox.”
A persistent threat actor, identified as the SideWinder APT group, has launched an elaborate phishing operation aimed at government organizations across South Asia. The campaign employs highly deceptive tactics, including a counterfeit Chrome PDF viewer and an exact replica of the Zimbra webmail login interface, to compromise employee credentials. This extensive effort, detailed in a report by Breakglass Intelligence, has been ongoing since at least February 2026.
Table Of Content
Organizations targeted include the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and various other defense and governmental entities throughout the region. The campaign is characterized by its meticulous design and strategic use of legitimate-looking interfaces to deceive victims.
The Phishing Chain: From Fake PDF to Credential Harvest
The attack initiates with a spearphishing email containing a malicious link. Upon clicking, victims are directed to a webpage crafted to perfectly mimic Google Chrome’s integrated PDF viewer. This sophisticated phishing kit, internally designated Z2FA_LTS, utilizes PDF.js version 2.16.105 to render a convincing interface, complete with functional-looking toolbar controls for actions like zooming, printing, and navigation.
The displayed document is a genuine, albeit blurred, Pakistani government diplomatic cable concerning the 152nd IPU Assembly in Istanbul. The intentional blurring prevents victims from reading the content, serving purely as a lure. After a brief five-second interval, the page automatically redirects the user to the subsequent phase of the attack.
Breakglass Intelligence analysts first identified the phishing kit after researcher @volrant136 brought attention to a Cloudflare Workers URL hosting a Zimbra credential harvester. This particular instance was targeting the Bangladesh Navy’s webmail portal, mail.navy.mil.bd.
Further analysis using URLScan revealed seven distinct phishing Workers deployed across two Cloudflare accounts over a three-month period. These Workers targeted a range of entities, including the Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, iCloud users, Nayatel, and the Bangladesh Computer Council. Multiple independent researchers, including @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam, have corroborated the attribution of these activities to the SideWinder APT group.
Operational Security Blunder Exposes Attacker Details
During the investigation, a significant operational security misstep by the kit’s developer came to light. When analysts sent a POST request to the phishing server without the expected query parameter, the system returned a 500 error, inadvertently exposing a full Express.js stack trace.
This leaked path, “/home/moincox/Z2FA_LTS/app.js,” provided critical insights, revealing the developer’s Linux username as “moincox” and the internal project name “Z2FA_LTS.” The project name, an acronym for “Zimbra 2FA Long-Term Support,” suggests the developer maintains multiple versions of this phishing kit. A search for the “moincox” handle on major code hosting platforms like GitHub and npm yielded no results, indicating a potentially private or less public development environment.
How the Infection Mechanism Works
The Z2FA_LTS phishing kit, built as a server-rendered Express.js application and hosted on Cloudflare Workers, orchestrates a highly convincing infection chain.
Following the initial blurred PDF display, victims are redirected to a simulated Zimbra loading screen. This page is designed to appear authentic by pulling real CSS stylesheets directly from the legitimate Bangladesh Navy mail server, making it visually indistinguishable from the genuine portal. The victim is then directed to a cloned Zimbra Harmony skin login page. All static assets, including favicons and stylesheets, are reverse-proxied from the real server through the phishing Worker’s “/proxy/” path, further enhancing the illusion of legitimacy.
The credential harvesting process is engineered to maximize data capture. The page injects two key behaviors:
- It forces a persistent error message stating, “Your session has expired. Please login again to continue,” pressuring the victim to re-enter their credentials.
- After the victim submits their initial credentials, the server re-renders the login page with the username pre-filled. This tactic makes the victim believe their first login attempt failed, prompting them to re-enter their password, thereby ensuring the collection of both username and password.
This double-submission strategy significantly increases the likelihood of successfully harvesting credentials. Additionally, each page load generates a unique rotating CSRF token using express-session, confirming that the kit employs robust server-side session management, adding another layer of sophistication to the attack.
What You Should Do
- Bangladesh Navy: Immediately rotate all user credentials for mail.navy.mil.bd.
- BGD e-GOV CIRT: Notify [email protected] about the ongoing credential harvesting operation.
- Pakistan’s NTISB: Alert regarding the use of leaked diplomatic communications as phishing lures.
- Cloudflare Trust and Safety: Report the phishing Worker at twilight-violet-55a5.malik-jaani786.workers.dev.
- Network Defenders: Block all subdomains under malik-jaani786.workers.dev.
- Proactive Monitoring: Continuously monitor URLScan for new Cloudflare Workers subdomains associated with this account or similar attack patterns (Express.js + Zimbra clone), as the threat actor has demonstrated an ability to rotate accounts (e.g., from girlfriendparty42.workers.dev to malik-jaani786.workers.dev).
- User Education: Reinforce training for all employees on identifying sophisticated phishing attempts, especially those involving fake PDF viewers and login pages, and emphasize verifying URLs before entering credentials.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.