APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

APT Sidewinder, a persistent APT group believed to originate from South Asia, has consistently targeted military and government entities across Bangladesh, Srilanka, Turkey, Nepal, Pakistan, and other neighboring countries. Sidewinder frequently leverages spear-phishing techniques involving weaponized documents and malicious links. These campaigns mimic official communication to trick victims into entering credentials on fake login pages.

Key Takeaways

• APT SideWinder impersonates government and defense agencies across Nepal, Bangladesh, and Turkey, recreating their login interfaces using Netlify and Pages.dev to host phishing lures.

• Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.

• Both mailbox3-inbox1-bd.com and mailbox-inbox-bd.com were used as credential collection endpoints, indicating backend reuse and infrastructure redundancy.

• Deployment of variants such as mailbox-inbox-bd.com/gov.ph and /pol3.php suggests redundant collection paths likely meant to ensure campaign continuity.

• Over a dozen phishing domains were identified, each mimicking different agencies (DGDP, DGFI, Police, National Webmail, Roketsan/ASELSAN), indicating broad sectoral targeting.

Initial Discovery

The investigation starts with an observed phishing attack on Nepal's Ministry of Defense (MOD) shared by researcher "Demon" on Twitter, attributed to APT Sidewinder.

These initial findings enabled a deeper dive into the APT Sidewinder ongoing campaign and Fake Zimbra Pages as lure.

Zimbra is a popular enterprise email platform often mimicked in phishing campaigns to steal login credentials.

Investigation

The initial investigation reveals a Fake Zimbra page (https://mail-mod-gov-np-account-file-data[.]netlify[.]app/bof.html) impersonating the Government of Nepal's Centralized Email System, hosted on Netlify, a free static hosting service often abused by threat actors to quickly spin up phishing pages.

Further investigation shows the title of the webpage as Zimbra Web Client Sign In in the HTML source code.

Moreover, a suspicious form submission was observed in the phishing page, which uses the POST method to send user credentials to an attacker-controlled server https://mailbox3-inbox1-bd.com/3456.php silently.

Pivoting Infrastructure

This phishing domain “mailbox3-inbox1-bd[.]com” currently resolves to the IP address 146.79.118.226. At first glance, there's nothing that screams C2 traffic or known malware behavior. However, we did spot one phishing-related indicator that suggests the domain may be part of an ongoing malicious campaign. The scan did not reveal any open directories or clear indicators of compromise (IOCs), and although WHOIS information is accessible, the registration details do not appear immediately suspicious.

The IP address 146.70.118.226, hosted by M247 Europe SRL in Frankfurt, Germany (AS9009) and its reverse DNS points to monovm.host, a known VPS provider often associated with anonymity or abuse-friendly hosting. Forward DNS resolves to webdisk.ichigotour.com, a domain name that appears benign but could potentially be part of a misused shared hosting environment.

A large number of common service ports are exposed, including FTP (21), HTTP/HTTPS (80, 443), POP3 (110), IMAP (143), secure email ports (993, 995), and several cPanel/webmail management interfaces such as 2083, 2087, 2095, 2096, 2077, 2078, which are typically seen on shared hosting. The presence of SSH on a non-standard port (2041) and an unknown service running on port 52230 were also observed.

To uncover the broader infrastructure leveraged by APT Sidewinder, we utilized HuntSQL™ (Hunt.io’s SQL-like interface that allows pivoting across massive infrastructure datasets) to pivot within an indexed web crawl dataset, starting from the previously identified suspicious domain: mailbox3-inbox1-bd.com.

HuntSQL query:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox3-inbox1-bd.com%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

The results show that a total of 9 unique phishing URLs were identified using lures targeting Bangladesh and Turkey. These phishing pages imitate government login portals and exfiltrate credentials using POST requests to attacker-controlled infrastructure.

Here is a breakdown of the phishing URLs, their visual lures (titles), and POST requests.

Observation

1. Domain Theming: All front-end domains are hosted on free services like Netlify and Pages.dev, commonly abused for fast, anonymous hosting.

2. Consistent Backend: Despite different phishing lures (DGDP, Roketsan, ASELSAN, IDEF), all forms submit data to mailbox3-inbox1-bd.com, confirming it as a centralized credential collection point.

3. Reused POST Scripts: Reuse of scripts like /2135.php and /idef.php across different phishing kits indicates automation or a template-based deployment model.

To better understand the scope of the campaign, the following table summarizes each unique phishing URL identified, along with its targeted country, impersonated organization, and a brief description of the lure used.

In order to perform title pivoting, we explored all possible titles and built a query to extract relevant records from the crawler database. Our focus was on entries with the title within a defined time frame starting from January 1, 2025, to capture recent activity and potential campaign footprints.

SELECT 
    *
FROM
    crawler
WHERE
    title == 'Dgdp Secured File System'
AND timestamp gt '2025-01-01'

                
Copy

After testing the identified page titles across broader sources, one more phishing URL was uncovered using the same visual lure, "Dgdp Secured File System". This reuse across domains points to a template-based approach, likely intended to ensure campaign continuity even if individual URLs are blocked.

This POST destination (mailbox-inbox-bd.com) is structurally and linguistically similar to the original collection server (mailbox3-inbox1-bd.com), suggesting a shared malicious infrastructure or backup exfiltration path used by the same threat actor attacking Bangladesh DIRECTORATE GENERAL DEFENCE PURCHASE.

The domain “mailbox-inbox-bd[.]com” shows 4 phishing URLs that also resolved to the same IP address 146.70.118.226. The scan revealed no open directories or obvious IOCs, and while WHOIS information is available, the registration details do not raise immediate suspicion.

Both mailbox3-inbox1-bd[.]com and mailbox-inbox-bd[.]com resolves to the same IP address 146.70.118.226, suggesting they are part of the same phishing infrastructure operated by a common threat actor.

Continuing the infrastructure hunt, a query using the URL pattern netlify.app/?pdf= revealed a new phishing page impersonating DGFI (Directorate General of Forces Intelligence), Bangladesh's military intelligence agency.

SELECT 
    *
FROM
    crawler
WHERE
    url LIKE '%netlify.app/?pdf=%'
AND url LIKE '%gov-bd%'
AND timestamp gt '2025-01-01'

                
Copy

Output:

The inclusion of a .gov.bd email in the query string indicates a successful spear-phishing attempt:

https://mail-dgfi-gov-bd-accounts-file-data-d.netlify.app/?pdf=ealb.gso2.protocol@dgfi.gov.bd

Using the URL mailbox-inbox-bd.com in the body field, two additional phishing URLs were identified, both following the same Zimbra-themed lure and targeting sensitive Bangladeshi government entities:

SELECT 
    *
FROM
    crawler
WHERE
    body LIKE '%mailbox-inbox-bd.com%'
AND timestamp gt '2025-04-01'

                
Copy

Output:

One spoofed the National Webmail Portal (mail.gov.bd) using a Zimbra-based lure, while the other impersonated the Bangladesh Police webmail login, both exfiltrating credentials via the attacker-controlled domain mailbox-inbox-bd.com

Attribution and Overlaps

The Sidewinder APT group continues to aggressively target government and defense sectors across South Asia, particularly Bangladesh, Sri Lanka, Nepal, and Pakistan. Recent phishing infrastructure uncovered in our hunt includes domains such as updatemind52.com, netlify.app, and pages.dev, which were designed to mimic official portals like mail.gov.bd, police.gov.bd, and dgdp.gov.bd. These domains were used to host credential-harvesting pages with highly convincing templates, some directly impersonating Zimbra Web Client interfaces.

As shown in the Sidewinder Attack by @SecAI_AI, domains like mail-mod-gov-bd-account-data-file[.]netlify[.]app and phishing URLs such as hxxps://mails.mofa.gov.np.updatemaster[.]info/mail/?_task=login highlight the group's tactic of chaining legitimate-looking subdomains with deceptive second-level domains (e.g., updatemaster[.]info).

These patterns precisely align with our hunt, where we identified three domains mail.gov.bd.account.file.updatemind52[.]com, webmail.police.gov.bd.updatemind52[.]com, and dgdp.cloud.secured.file.updatemind52.com. Both the naming format and the use of attacker-controlled parent domains like updatemind52.com confirm the replication of Sidewinder's infrastructure across campaigns.

The second Sidewinder attack by @blackorbird presents additional context, displaying a phishing domain mail-defence-lk-session-out.pages[.]dev used to mimic the Sri Lankan Ministry of Defence. This mirrors the domains we uncovered, such as mail-baf-mil-bd-account-data-files-document.pages.dev and mail-aselsans-com-tr-account-files-da.netlify.app, all hosted on Netlify or Pages.dev.

The screenshots in the tweet show the reuse of visual elements like Zimbra login forms and official document previews, matching the behavior in our phishing samples. This consistent use of static site platforms, fake government-themed URLs, and credential-stealing POST methods reflects a broader infrastructure strategy by Sidewinder, aligning with patterns we’ve observed in prior campaigns.

Mitigation Strategies

• Detect .php phishing pages served from domains spoofing military/gov.bd keywords

• Block Netlify-hosted spoofed domains like *.netlify.app mimicking bd government/military services

• Enforce MFA on all externally accessible services, especially webmail, VPNs, and government portals.

• DNS resolutions to *.netlify.app, *.pages.dev domains containing gov/mil/army patterns.

• HTTP requests with Zimbra login paths or anomalous User-Agent strings.

• Security teams can write detections for unusual Zimbra login paths combined with unexpected HTTP POST behavior to external domains.

Proactively mapping attacker infrastructure remains one of the most effective ways to detect and stop threats like these before they escalate.

Conclusion

This investigation began with a phishing lure targeting Nepal's Ministry of Defense. Through infrastructure pivoting and domain analysis, the campaign's scope expanded to Bangladesh and Turkey, revealing a coordinated set of phishing attacks against government and military entities.

The consistent use of Netlify and Pages.dev, combined with centralized credential collection servers and cloned login portals, points to a sustained and scalable campaign. Attribution indicators and infrastructure overlaps reinforce previous links to APT Sidewinder.

Tracking infrastructure reuse across campaigns like this is critical. It gives defenders a practical advantage, helping detect threats early, enriching IOCs, and reducing attacker dwell time across targeted government and military environments.

APT Sidewinder Indicators of Compromise (IOCs)

Additional IOCs