Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder, a highly active state-sponsored threat group known for its long-standing espionage campaigns across South Asia, has once again launched a targeted operation. Previously associated with extensive phishing and credential-harvesting activities, the group has now shifted focus toward the maritime sector, with Pakistan and Sri Lanka emerging as primary targets.

Hunt.io telemetry and targeted OSINT revealed a concentrated campaign activity we label Operation SouthNet, attributed to APT SideWinder. The actor leverages free hosting platforms (Netlify, pages.dev, workers.dev, b4a.run) to deploy credential-harvesting portals and weaponized lure documents, then stages malware in open directories for later retrieval.

The campaign shows an operational focus on maritime and port-themed lures and targets government and military entities in Pakistan and Sri Lanka, with supporting activity touching Nepal, Bangladesh, and Myanmar.

Key Takeaways

• Phishing Infrastructure at Scale: Over 50+ malicious domains uncovered across Netlify, pages.dev, workers.dev, and b4a.run, hosting fake Outlook/Zimbra portals and credential harvesting pages.

• Regional Targeting: Campaigns were distributed across 5 South Asian nations (Bangladesh, Nepal, Myanmar, Pakistan, Sri Lanka), with Pakistan accounting for 40% of the total domains identified.

• Lure Documents: At least 12 weaponized documents were observed between August and September 2025, themed around ministerial committees, bilateral visits, and defense procurements.

• Exposed Malware Repositories: Open directories revealed 8 distinct samples linked to Pakistan's marine sector.

• Infrastructure Overlap: Campaign tied back to SideWinder's legacy C2 assets (e.g., govmm[.]org, govnp[.]org, andc[.]govaf[.]org), confirming infrastructure recycling across multiple years.

• Credential Theft Campaign: Fake portals successfully captured inputs via direct POST requests (no redirects), with logs tied to technologysupport[.]help infrastructure.

• Persistent Operations: On average, new phishing domains emerged every 3--5 days, indicating rapid pivoting and a high operational tempo.

To back those points up, here's the earlier activity window we tracked and how it connects to the present campaign.

Background and Earlier Activity

In August 2025, Hunt.io tracked a SideWinder credential-harvesting campaign that deployed 14 malicious webpages on free hosting platforms (Netlify/pages.dev) and funneled stolen credentials to two collection servers. The operation primarily targeted government and defense organizations in Nepal, Bangladesh, and Turkey, using fake Zimbra webmail and secure portal login pages.

Security researcher "Demon" uncovered phishing and credential-theft activity targeting the Pakistan Government, Pakistan Navy, and the Sri Lanka Navy. Almost 100+ domains have been observed in a similar attack pattern targeting South Asian government and military entities. Moreover, an open directory was identified through AttackCapture™, linked to APT SideWinder, containing nearly 33 files and 8 directories aimed at targeting the marine sectors of Pakistan and Sri Lanka.

Folks at StrikeReady uncovered an attack that specifically targeted Nepali users through malicious Android applications, exploiting political tensions in Nepal to spy on ongoing communications and exfiltrate sensitive data.

Within two months, APT SideWinder's persistent focus on South Asia continued across phishing infrastructure, open directories, and mobile malware, underscoring its long-term intent to infiltrate government, military, and critical sectors in the region.

From there, the trail picks up in Bangladesh, where SideWinder leans on DGDP-themed "secured file" portals to pull in credentials.

Bangladesh: DGDP "Secured File" Phishing Portals

Building on our previous blog, the following HuntSQL™ query revealed three additional phishing domains linked to Sidewinder activity.

These lures were hosted on Netlify and spoofed DGDP (Directorate General of Defense Purchases, Bangladesh) and Turkish defense-related portals, indicating continued targeting of Bangladesh Defense.

SELECT
  *
FROM
  crawler
WHERE
  title LIKE '%Dgdp Secured File System%'
  AND timestamp gt '2025-07-17'

                
Copy

One of the phishing websites (httpx://drive-dgdp-gov-bd-files[.]netlify[.]app) is still active at the time of analysis (2025-09-30). The page hosted a fake DGDP "Secured File" portal, masquerading as an official request for Turkish defense equipment details supplied to the Pakistan Armed Forces, and prompted users to enter their email credentials to access the document.

A very similar approach shows up in Nepal, this time dressed up with political documents and centralized webmail spoofs.

Nepal: Political Lures and Centralized Webmail Spoofs

Hunt.io uncovered an attack targeting Nepal's Ministry of Finance using a fake Outlook webmail login page at httpx://mall-ministryoffinance-np[.]netlify[.]app/ hosted on Netlify (resolving to 98.84.224.111).

The phishing page embedded a fake document titled "सम्माननीय प्रधानमन्त्रीज्यूको चीन भ्रमण सम्बन्धमा.pdf" (Honorable Prime Minister's Visit to China) to appear credible. Beneath the lure, the site imitated an Outlook login, with credentials being exfiltrated to drive-nepal-gov[.]com/document/docu.php.

Because the same exfiltration server shows up in several pages, pivoting on it lets us map out a much bigger cluster of phishing sites tied to Nepal's government portals.

This clearly indicates SideWinder's tactic of pairing political themes with spoofed webmail portals. Pivoting further, we mapped out additional related infrastructure.

Using HuntSQL™ to pivot on the exfiltration server domain drive-nepal-gov[.]com, uncovered 12 phishing webpages linked to the same credential collection server.

SELECT
  url, title
FROM
  crawler
WHERE
  body LIKE '%drive-nepal-gov.com%' AND timestamp gt '2025-05-01'

                
Copy

At the time of analysis, two websites: www-foreignaffairs-nepal-com[.]netlify[.]app and www-nepalgovernment-genz-agendapdf[.]netlify[.]app were still active. These pages spoofed official government portals, including Nepal's Ministry of Foreign Affairs and centralized email system, using political-themed documents to trick officials into entering their credentials.

Pivoting on the title "Nepal Government Email Sign In" returned four unique results. All pages impersonate a centralized Nepal government webmail sign-in, which confirms a coordinated campaign to harvest Nepali government credentials since this year.

SELECT 
  * 
FROM 
  crawler 
WHERE 
  title = 'Nepal Government Email Sign In' 
  AND timestamp gt '2025-01-01'

                
Copy

At the time of analysis, the page at httpx://helpful-national-poilcy-nepla-gov-np[.]netlify[.]app/national%20ai%20policy%20draft.html was still active. It uses a decoy document titled National Artificial Intelligence Policy 2081 in the Nepali language and redirects to a fake login page of "Government of Nepal Centralized Email System" designed to harvest credentials.

The HuntSQL™ query is designed to surface new phishing infrastructure by filtering for Netlify-hosted sites containing "nepal" in the URL, excluding previously identified clusters ("Nepal Government Email Sign In" and "Carbonio Webmail Login). The result revealed one unique site: httpx://drive-nepal-gov-np-files[.]netlify[.]app/ with a title "Nepal Secured File System".

SELECT
  url, title, body
FROM
  crawler
WHERE
  url LIKE '%nepal%'AND url LIKE '%netlify%'
  AND (title != 'Nepal Government Email Sign In' 
  AND title != 'Carbonio Webmail Login') 
  AND timestamp gt '2025-08-01'

                
Copy

Across Nepal, we observed 17 active phishing portals between May--September 2025, with 70% spoofing centralized webmail logins and the rest using politically themed decoy documents.

The playbook isn't limited to Nepal. Myanmar's Central Bank is hit with the same cloned login kit, tied back to old SideWinder infrastructure.

Myanmar: Central Bank Zimbra Phish Linked to Legacy C2

Hunt.io uncovered a phishing domain targeting Myanmar's Central Bank (CBM) through a fake "Zimbra Web Client login" hosted at mailcbmgovmm[.]pages[.]dev (Cloudflare). The code analysis revealed that the login page was cloned from the legitimate CBM webmail (httpx://mail[.]cbm[.]gov[.]mm/) and designed to exfiltrate credentials to a malicious collection server at myanmar-org-mail[.]com/cbm/action.php.

A HuntSQL™ query is designed to extract all URLs containing .govmm domains after January 1, 2025. This pivot revealed 13 unique URLs tied to the govmm.org infrastructure, which is closely related to Myanmar's government website.

SELECT
  timestamp, url
FROM
  crawler
WHERE url LIKE '%.govmm%' AND timestamp gt '2025-01-01'

                
Copy

Further infrastructure analysis shows the govmm[.]org domain resolved to three IP addresses in 2025: 193.57.138.22, 5.255.113.9, and 46.183.184.245 with multiple malicious artifacts tied to that hosting cluster. On 193.57.138.22, we observed three notable samples: a malicious Windows executable tracked as AdobeUpdateCore.exe (MD5 7a6723cea87ba7c098f022ad92abf865 and observed also under names like manarupdate.exe / payload_1.exe), a compressed archive (payload_1.zip, MD5 799b9aa10e223b13577f9685c7808280), and a VBA script (ThisDocument.txt, MD5 b6fb42a8ff8ea93addf1c3a99abfe10a).

Separately, the host at 5.255.113.9 served an additional Windows executable (e0fd3.exe / EdgUpdate.exe, MD5 5b4eebe67765339f2a4ef7f0cc1d4f44) reachable via httpx://5.255.113.9/translateapp/Dell_YGN/processtext.php.

The third IP address, 46.183.184.245, plays a vital role in attribution. In addition to govmm[.]org, it is also linked with two more domains: govnp[.]org and andc[.]govaf[.]org. Both have previously been associated with APT SideWinder, as highlighted in Netskope's research and corroborated by independent security researcher @wa1Ile. These overlaps strengthen the assessment that the same threat actor continues to attack Nepal with a similar Nim-based Campaign.

That overlap isn't just historical. The same playbook shows up immediately in Pakistan, where SideWinder shifts its focus to aerospace, research, and telecom institutions

Pakistan: Credential Theft against Research, Aerospace, and Telecom Institutions

Hunt.io uncovered a phishing domain impersonating SUPARCO (Pakistan's Space & Upper Atmosphere Research Commission) at owa-suparco-gov-pk-owa-autho[.]pages[.]dev. The site mimicked an Outlook Web App login to harvest credentials and was hosted on Cloudflare infrastructure.

The injected JavaScript in the SUPARCO phishing page uses a redirect query parameter to capture the victim's email address, encode it in Base64, and then forward it into subsequent phishing stages (e.g., 1.html). After a short delay, it triggers an overlay message, luring the victim to reload and resubmit their credentials. This mechanism not only obfuscates the phishing flow but also ensures the stolen identifiers are consistently embedded across multiple phishing pages for session tracking.

A targeted hunt on "gov-pk" themed Outlook portals uncovered four phishing pages hosted on pages.dev. Two of these domains impersonated the Pakistan Space & Upper Atmosphere Research Commission (SUPARCO), while the other two spoofed the Pakistan Airports Authority (PAA).

All four URLs were inactive at the time of analysis, indicating that the malicious infrastructure had either been dismantled or temporarily disabled. Even so, the Pakistan activity links together through one thread: the technologysupport[.]help exfiltration server, which appears across multiple Zimbra and Outlook-style phishing kits.

On 17 September 2025, Hunt.io uncovered a new attack on the Pakistan Board of Investment (BOI) impersonating the Zimbra login portal under the domain mail-776f305796709f2d567e6868feaba274-gov-pk-investment[.]pages[.]dev.

The lure is an official-looking document titled 'Ministerial Committee to Oversee Preparation for Forthcoming Visit to China', dated June 16, 2025, designed to appear as a legitimate government communication. In reality, the document serves as bait to redirect recipients to a fraudulent login page impersonating the National Telecom Corporation (NTC) portal.

The code analysis shows the credentials are submitted to the attacker-controlled server httpx://technologysupport[.]help/1pac.php. Moreover, the form also includes a hidden inbox field containing a Base64-encoded email address, indicating a targeted lure and session tracking mechanism.

When we pivoted by IP instead of domain, we uncovered more of the same kit hosted on b4a.run, confirming SideWinder was recycling the same setup across different services

Pivoting on the exfiltration server domain "technologysupport[.]help" returned four unique domains in the last 3 months.

SELECT
  *
FROM
  crawler
WHERE 
   body LIKE '%technologysupport.help%' 
   AND timestamp gt '2025-07-01'

                
Copy

The webpage at httpx://2642476f.na-gov-pk-meeting-pac[.]pages[.]dev/?auth= Y2hhaXJtYW5Ad2FwZGEuZ292LnBr is still accessible at the time of analysis and presents a convincing lure "Meeting Notice" for the 30th meeting of the Public Accounts Committee (PAC) (29-07-2025, 11:00 AM, Committee Room No.2, Parliament House, Islamabad).

This phishing page is designed to mimic the official National Assembly of Pakistan website. The fake login form specifically asks for an email and password, with the red "Authentication Required" text adding urgency.

Clicking the download triggers a modal titled "National Assembly of Pakistan" that contains an authentication form. The form asks for a username (lion, readonly) and a password (tiger) and posts submitted credentials to the attacker-controlled server httpx://technologysupport[.]help/renderer.php.

Hunt.io identified another attack on National Telecom Corporation (NTC) at httpx://ntc-06gd0upz[.]b4a[.]run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1 that mimics a legitimate Zimbra webmail login. The site resolved to IP address 18.160.41.38 and the credentials were exfiltrated to "/req/submit" endpoint on the same hostname.

Pivoting on IP address 18.160.41.38 returned two additional hosts: httpx://posta-nhq43i6x[.]b4a[.]run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1 (another NTC-themed lure) and http://mofagovnp-bm46fjwo[.]b4a[.]run/ (impersonating the Ministry of Foreign Affairs, Nepal).

SELECT
  *
FROM
  crawler
WHERE
  ip = '18.160.41.38' AND hostname LIKE '%b4a.run%' 
  AND hostname !='ntc-06gd0upz.b4a.run'

                
Copy

Pivoting on the hardcoded CSRF token 93e65923-f7a0-4f88-9d6b-a80dcfaa6b9a found in the posta-nhq43i6x[.]b4a[.]run phishing page uncovered another related host: httpx://webservermail-g2689far[.]b4a[.]run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1.

SELECT
  url, title
FROM
  crawler 
WHERE 
  body LIKE '%93e65923-f7a0-4f88-9d6b-a80dcfaa6b9a%' 
  AND timestamp gt '2025-07-01'

                
Copy

Looking beyond individual IPs, a pattern hunt across workers.dev domains exposed another wave of phishing pages built with the same government-themed naming style.

Hunt.io identified a phishing webpage targeting the National Telecommunication Corporation (NTC) hosted on secure-ntc.net (IP: 159.100.6.5), masquerading as an official NTC advisory referencing hit.gov.pk.

Similarly, another phishing webpage is also tracked targeting the Ministry of Defense (MoD), deployed on mail-aviation-gov-pk-pdf.pages.dev, impersonated the Ministry of Defense and redirected victims to a counterfeit Zimbra login portal for credential harvesting.

The screenshot shows multiple login attempts to the Zimbra Web Client hosted on mail.aviation.gov.pk, redirecting users through suspicious URLs, alongside a National Telecom Corporation (NTC) login page impersonation. This setup indicates a potential phishing campaign targeting Pakistani government employees by spoofing official webmail portals to harvest credentials, leveraging fake Zimbra and NTC login interfaces to trick victims into entering their usernames and passwords.

A pattern-based hunt on Cloudflare's workers.dev infrastructure uncovered 16 phishing domains created after January 1, 2025. These domains incorporated keywords such as "pk," "lk," "pak," and "ntc" to impersonate Pakistan and Sri Lanka.

SELECT
  url, title
FROM
  crawler
WHERE
  url RLIKE '-(pk|lk|pak|ntc).+workers\.dev\.$'
  AND timestamp gt '2025-01-01'
ORDER BY
  timestamp DESC

                
Copy

Beyond phishing portals, SideWinder also maintained open directories hosting executables and decoy files, pointing to a clear maritime focus.

Our researchers have found blue-term-c168[.]gov-pkgov[.]workers.dev as being linked to APT SideWinder, and it is also listed in the Maltrail feed. Unlike the earlier phishing-focused activity, this campaign shows a slight variation and appears to be associated with the Marine Sector, targeting Pakistan and Sri Lanka.

Using Hunt.io AttackCapture™ and OSINT, analyst "Demon" discovered two exposed C2 endpoints and open directories at themegaprovider[.]ddns[.]net (47.236.177.123) and gwadarport[.]ddns[.]net (31.14.142.50) that hosts a mixture of executables, DLLs, and lure documents aimed at credential theft and C2 persistence.

In total, we observed over 40 distinct samples across the evidence set: 8 samples mapped to the first cluster, 2 samples to the Colombo-hosted open directory, and an additional open-directory staging instance listing ~33 files and 8 directories tied to the same campaign. Analysis reveals at least six unique C2 domains/IPs, including 89.46.65.19, colombo-port.ddns.net, morning-forest-4fef.ethanhunthero125[.]workers[.]dev, two lure filenames (Training_Program_July_2024.pdf.url, Navy_Operational_Highlights_2025.zip, Incident_Report_Gwadar_Port_Complex.pdf.exe) consistent with maritime and port-themed social engineering.

And while most activity stays in South Asia, we also found spillover: Singapore's Ministry of Manpower impersonated with the same templates.

Singapore Spillover: Ministry of Manpower Impersonation

A targeted hunt on "Ministry of Manpower" themed phishing portals uncovered three malicious webpages momgovsg[.]net, mom.gov-sg[.]online, and momgovsg[.]info, impersonating Singapore's Ministry of Manpower (MOM).

SELECT
  url, title, body
FROM
  crawler
WHERE
  title='Ministry of Manpower'
  AND timestamp gt '2025-01-01'
ORDER BY
  timestamp DESC

                
Copy

The consistent use of "govsg" with minor variations such as hyphenation and alternate TLDs aligns with patterns previously observed in campaigns linked to SideWinder. However, no direct attribution can be confirmed at this stage of analysis.

Taken together, these patterns are clear and repeatable, giving defenders a solid basis to build simple detections and filters.

Mitigation Strategies

• Proactively monitor free hosting platforms (Netlify, pages.dev, workers.dev, b4a.run) for government-themed phishing portals.

• Continuously ingest and correlate IoCs (domains, IPs, file hashes) into SIEM and EDR systems.

• Block suspicious redirects and enforce advanced filtering against fake Zimbra/Outlook login attempts.

• Educate government and defense personnel to identify document-based phishing lures tied to login requests.

• Limit lateral movement post-compromise by enforcing MFA and segmenting critical networks (finance, defense, telecom).

• Regional cooperation among South Asian CERTs/SOCs is essential, given the cross-border nature of SideWinder operations.

Conclusion

The hunt confirms that SideWinder remains one of the most persistent and adaptive APT actors in South Asia, leveraging rapid domain churn, lure documents, and multi-platform malware to sustain long-running espionage campaigns.

The group's ability to recycle legacy infrastructure while constantly deploying fresh phishing portals highlights a blend of sophistication and pragmatism. With 40% of observed activity focused on Pakistan and broader regional targeting across Nepal, Bangladesh, Sri Lanka, and Myanmar, the campaign reflects both strategic intent and operational discipline.

Sidewinder APT Indicators of Compromise (IOCs)

For those who need actionable details, here's the full set of defanged IOCs grouped by domains, servers, IPs, and samples.

Exfiltration Servers

IP Addresses

Malware Samples

Open Directories