India-linked APT group SideWinder stole the login credentials of the Pakistan Ministry of Foreign Affairs and the Bangladesh Navy in a highly sophisticated phishing campaign using a fake Chrome PDF Viewer and a pixel-perfect Zimbra webmail clone. Hosted on Cloudflare Workers the campaign has been running since August 2025 and researchers exposed its latest and most advanced chapter on April 20, 2026. Learn the full story of this state-sponsored cyber espionage operation.
Hidden Threat Silent Data Theft
In cyber warfare the most dangerous enemy is not the one who makes noise crashes systems or demands ransom. The most dangerous is the one who silently infiltrates your email account, reads your diplomatic communications, sees your military plans, and then leaves without leaving a trace.
This is what SideWinder does. And on April 20, 2026 researchers uncovered an operation of this group that was directly targeting the Pakistan Ministry of Foreign Affairs and the Bangladesh Navy through a fake Chrome PDF viewer and a Zimbra webmail clone so perfect that it was practically impossible to distinguish between the real and the fake.
Who is SideWinder APT Understanding the Background
SideWinder is an Advanced Persistent Threat (APT) group that cybersecurity researchers have been tracking since 2012 and is an India-linked state-sponsored threat actor. Razor Tiger and RagaSerpent are also its alternative names.
Researchers have consistently observed that SideWinder targets exclusively India neighboring countries Pakistan, Bangladesh, Sri Lanka, Nepal and Myanmar while India itself never appears in SideWinders target list.
This pattern is the biggest attribution clue. It is widely believed in the cybersecurity community that SideWinder is an Indian state backed threat actor conducting cyber espionage operations in Pakistan and South Asia.This group focus is diplomatic, military and government targets not credit card fraud or ransomware but purely intelligence gathering.
SideWinder Unique Attack Techniques
SideWinder is different from other APT groups because it uses advanced TTPs (tactics, techniques, and procedures) like multi-stage loaders and server-side polymorphic malware. It also takes advantage of Microsoft Office security holes that are eight years old such as CVE-2017-0199 and CVE-2017-11882.
Meaning, on the one hand, a very sophisticated infrastructure, on the other hand, very cheap and readily available exploits. This combination is a strategy where old CVEs are well-tested, avoid detection, and developers don’t include the expense of maintaining zero-day. The core malware of SideWinder is StealerBot which deploys via spear-phishing documents and maintains persistent access in government environments.
August 2025 The Beginning of Operation SouthNet
This phishing campaign did not happen overnight. In August 2025 Hunt.io telemetry noticed that SideWinder was creating new phishing domains every 3 to 5 days. The targeted countries included Bangladesh, Pakistan, Nepal, Sri Lanka and Myanmar.
This phase was named Operation SouthNet in which more than 50 phishing domains were active. Pakistan had a 40% share specifically SUPARCO i.e. Space and Upper Atmosphere Research Commission Pakistan Airports Authority and National Telecom Corporation were impersonated.
In Bangladesh the Directorate General of Defense Purchases (DGDP) was targeted through fake secured file portals that resembled official defense procurement systems. Pakistani diplomats were targeted from April to August 2025 by creating documents such as Induction of Weapons in CSD for Officers and JCOs and Appointment as Coordinator to the Prime Minister on Right Sizing just before the India-Pakistan conflict in May 2025.
These document names seemed so relevant in the liberal military and government context that the guy would naturally click.
April 2026 Latest Advanced Technique
This has come out today is much more advanced than what was thought before. Researchers found that SideWinder is hosting a phishing kit on Cloudflare servers that is specifically aimed at the Zimbra webmail portal of the Bangladesh Navy (mail.navy.mil.bd) and the Pakistan Ministry of Foreign Affairs.
The new element in this operation is a fake Chrome PDF viewer. The victim first sees a blurred PDF, as if a document is being loaded in the Chrome PDF viewer which then automatically opens the Zimbra login page. But this blurred PDF was not a generic decoy and it was a genuine Pakistani diplomatic document containing the names of nine named officials and their hotel reservations for the Inter-Parliamentary Union (IPU) assembly in Istanbul. The document’s metadata pointed to Turkey time zone and contained internal reference numbers and financial details consistent with official government correspondence.
This means the attackers first compromised the email account of a Pakistani official and extracted the document and then used it as a attract to target others. Stealing from one victim to capture another is SideWinders signature technique.
Zimbra Clone Anatomy Exact Replica
The Zimbra clone was so perfect that it was almost impossible to distinguish between the original and the fake. The phishing kit uses a reverse proxy that fetches real CSS favicons and visual assets live directly from the targeted organization’s actual mail server.
Meaning if you want to see the skin of Bangladesh Navy Zimbra portal then this kit directly takes assets from mail.navy.mil.bd and renders the identical one. When the victim reached the login page, he was shown an injected “session expired” error message which forced him to authenticate again.
Rotating CSRF tokens and server-side session cookies were managed in the backend. When the victim submitted the username password the server silently captured the credentials and then reloaded the page with the username pre-filled so that the victim thought he was trying again.
This double capture technology ensures that if there is a typo the first time and correct credentials are obtained the second time.
Cloudflare Workers Abuse Malicious Use
The phishing kit was hosted on the workers.dev domain Cloudflare legitimate developer platform. The kit internally calls itself Z2FA_LTS or Long-Term Support and two-factor aware Zimbra phishing framework. Using URL indexing and passive DNS researchers traced at least 7 distinct Cloudflare Workers domains over a three-month window that were associated with the same toolkit and operator. Two Workers accounts were specifically identified as girlfriendparty42 and malik-jaani786 that used the same Express.js backend, blurred PDF viewer and long random query parameters.
Exploiting Cloudflare Workers is a brilliant strategy because workers.dev is a globally trusted domain and no spam filter or firewall blocks it by default. Any security tool will think its just normal Cloudflare developer traffic.
Why Pakistan & Bangladesh Were Targeted
These targets were not chosen randomly. Obtaining the Bangladesh Navy Zimbra webmail credentials meant direct access to naval operations, ship movements, and defense communications in the Bay of Bengal. Compromising the Pakistan Ministry of Foreign Affairs email account meant accessing Pakistans diplomatic communications, foreign policy discussions and sensitive negotiations in real time.
SideWinders targeting pattern is directly aligned with South Asian regional dynamics. The focus on government and defense entities in Bangladesh, Pakistan and Sri Lanka suggests that threat actors are pursuing intelligence or strategic information related to regional affairs.
And all this is happening at a time when India-Pakistan tensions are historically high, with the Kashmir conflict ceasefire negotiations and regional military buildup all going on simultaneously.
Protection Against Such Threats
Organizations that use Zimbra or Outlook webmail should immediately take these steps: Implement phishing-resistant multi-factor authentication. Specifically use FIDO2 or hardware security keys to protect against real-time session capture attacks because they are domain-bound.
Immediately treat any Zimbra or Outlook login page on a generic cloud or developer domain like workers.dev, netlify.app and pages.dev as suspicious. Implement DNS monitoring to flag domains that look like government webmail portals. Specifically train staff to go to the official portal by manually typing the URL in the browser if clicking a document link leads to a login page even if it appears to be genuine. And monitor outbound traffic for form POST requests that go to unknown external servers.
