A sophisticated phishing campaign orchestrated by the advanced persistent threat (APT) group SideWinder is actively targeting South Asian government entities, employing deceptive tactics to pilfer sensitive webmail credentials. The group is leveraging a convincing fake Chrome PDF viewer and a meticulously crafted replica of the Zimbra email login portal, according to recent cybersecurity analyses.
The ongoing operation, which has been operational since at least February 2026, has demonstrably affected high-profile organizations. Among those identified as targets are the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs. The campaign also encompasses numerous other defense and government bodies situated across the South Asian region, highlighting the broad threat posed by SideWinder’s latest infiltration methods.
SideWinder’s Deceptive Tactics for Stealing Government Credentials
The attack sequence commences with a targeted spearphishing email containing a malicious link. Upon clicking this link, unsuspecting recipients are presented with what appears to be Google Chrome’s integrated PDF viewer. This convincing facade is powered by PDF.js version 2.16.105, integrated into their phishing kit, internally designated Z2FA_LTS.
The fake viewer meticulously mimics legitimate functionality, including toolbars for zooming, printing, page navigation, and downloading. Intriguingly, the document displayed within the viewer is a legitimate, albeit blurred, Pakistani government diplomatic cable. This cable, reportedly concerning the 152nd IPU Assembly in Istanbul, is rendered unreadable to prevent users from discerning its content, thus facilitating the deception.
After an approximately five-second delay, the seemingly innocuous PDF viewer page automatically redirects the victim to the subsequent stage of the attack, intended to harvest their login information.
Security researchers from Breakglass Intelligence first identified this specific phishing kit. Their investigation was prompted by an alert from researcher @volrant136, who flagged a Cloudflare Workers URL featuring a Zimbra credential harvester specifically pointed at the Bangladesh Navy’s webmail portal, mail.navy.mil.bd.
Further analysis using URLScan by these researchers mapped a total of seven distinct phishing Workers. These were deployed across two separate Cloudflare accounts over a three-month period. The identified targets, beyond the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs, included general iCloud users, the telecommunications provider Nayatel, and the Bangladesh Computer Council, demonstrating the group’s diverse targeting strategy.
Multiple independent cybersecurity researchers, including @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam, have corroborated the attribution of these activities to the SideWinder APT group, reinforcing the credibility of the findings.
Operational Security Flaw Exposes Attacker Details
A significant operational security lapse by the kit’s developer provided researchers with an unexpected advantage. When analysts sent the server a POST request without the expected query parameter, it triggered a 500 error. This error message contained a full Express.js stack trace, inadvertently revealing sensitive information.
The exposed file path, indicated as “/home/moincox/Z2FA_LTS/app.js,” unveiled the developer’s Linux username, “moincox,” and the project’s internal name, Z2FA_LTS. The acronym is understood to stand for “Zimbra 2FA Long-Term Support,” suggesting the developer actively maintains and updates these phishing tools over time. The handle “moincox” has not yielded any significant public profiles on platforms like GitHub or npm, indicating a likely effort to maintain anonymity.
The Z2FA_LTS Infection Mechanism Unveiled
The Z2FA_LTS phishing kit operates as a server-rendered Express.js application deployed on Cloudflare Workers, meticulously designed to maintain a consistent and convincing user experience throughout the attack chain. Following the initial display of the blurred PDF, victims are seamlessly redirected to a fake Zimbra loading splash screen.
Crucially, this splash screen dynamically pulls legitimate CSS stylesheets directly from the actual Bangladesh Navy mail server. This technique ensures the phishing page is visually indistinguishable from the genuine portal, significantly increasing the likelihood of success. Subsequently, users are directed to a flawless clone of the Zimbra Harmony skin login page.
To maintain this illusion, all static elements, including favicons and stylesheets, are reverse-proxied from the legitimate server through the phishing Worker’s designated “/proxy/” path. This sophisticated redirection ensures that the victim is interacting with a page that appears genuine on all levels.
Credential Harvesting and Double-Submission Tactics
The credential harvester component of the Z2FA_LTS kit injects two specific script behaviors into the login page. The first tactic is to persistently display an error message stating: “Your session has expired. Please login again to continue.” This seemingly benign error prompts the victim to re-enter their credentials, increasing the chances of capturing them.
The second tactic involves a post-submission action by the server. After the victim enters and submits their credentials, the server re-renders the login page with their username pre-filled. This reinforces the user’s belief that their initial login attempt failed due to a technical glitch, encouraging them to meticulously re-enter their password. This double-submission strategy is highly effective in maximizing the number of credentials successfully exfiltrated per victim.
Furthermore, each page load generates a unique, rotating CSRF token utilizing express-session. This indicates that the phishing kit operates with robust server-side session management, contributing to its advanced nature and evasion capabilities.
Immediate action is recommended for affected organizations and security teams. The Bangladesh Navy is urged to rotate all user credentials for mail.navy.mil.bd without delay. Additionally, BGD e-GOV CIRT should be formally notified of this active credential harvesting operation at [email protected]. Pakistan’s National Telecommunication Security Board (NTSB) should also be alerted regarding the use of leaked diplomatic communications as lures in this campaign.
The specific phishing Worker identified at twilight-violet-55a5.malik-jaani786.workers.dev needs to be reported to Cloudflare Trust and Safety. Organizations are advised to block all subdomains associated with malik-jaani786.workers.dev and to closely monitor URLScan for any new Worker subdomains originating from this same account.
Security teams should remain vigilant for new Cloudflare Workers accounts that adopt a similar pattern of deploying an Express.js framework in conjunction with a Zimbra clone. This is particularly important as the threat actor has already demonstrated an ability to rotate their infrastructure, having previously used the account girlfriendparty42.workers.dev before migrating to malik-jaani786.workers.dev, indicating a proactive approach to evading detection.