APT Sidewinder, a persistent risk actor believed to originate from South Asia, has launched a complicated credential harvesting marketing campaign concentrating on authorities and army entities throughout Bangladesh, Nepal, Turkey, and neighboring nations.
The group has demonstrated outstanding adaptability of their phishing methods, creating convincing replicas of official login portals to steal delicate authentication credentials from high-value targets.
The marketing campaign primarily leverages spear-phishing assaults by weaponized paperwork and malicious hyperlinks that mimic respectable authorities communications.
Phishing Assault shared by Demon displaying the Login web page for ‘Authorities of Nepal’ (Supply – Hunt.io)
By impersonating trusted establishments, the risk actors efficiently trick victims into getting into their credentials on fraudulent login pages designed to seize and exfiltrate authentication knowledge to attacker-controlled servers.
Hunt.io analysts recognized the operation after investigating a phishing assault concentrating on Nepal’s Ministry of Protection, which led to the invention of a broader infrastructure spanning a number of nations and authorities companies.
The investigation revealed over a dozen phishing domains, every rigorously crafted to imitate totally different companies together with DGDP, DGFI, Bangladesh Police, and Turkish protection contractors like ASELSAN and ROKETSAN.
The attackers exhibit subtle operational safety by using free internet hosting providers like Netlify and Pages.dev to quickly deploy phishing infrastructure whereas sustaining redundancy throughout a number of assortment endpoints.
APT Sidewinder Attribution for ‘netlify[.]app’ from X put up displaying reuse of comparable infrastructure (Supply – Hunt.io)
This method permits them to rapidly set up new assault vectors when present domains are detected and blocked.
Infrastructure Evaluation and Credential Assortment Strategies
The technical evaluation reveals APT Sidewinder’s systematic method to credential harvesting by centralized assortment infrastructure.
The group employs two major credential exfiltration domains: mailbox3-inbox1-bd.com and mailbox-inbox-bd.com, each resolving to IP tackle 146.70.118.226 hosted by M247 Europe SRL in Frankfurt, Germany.
The phishing pages make the most of subtle POST request mechanisms to silently transmit stolen credentials. For instance, a faux Zimbra login web page hosted at mail-mod-gov-np-account-file-data.netlify.app accommodates JavaScript code that submits consumer credentials to by hid type submissions.
The HTML supply code maintains genuine titles like “Zimbra Internet Shopper Signal In” to reinforce credibility whereas executing malicious backend operations.
The marketing campaign demonstrates infrastructure reuse throughout totally different concentrating on eventualities, with constant backend scripts like /2135.php and /idef.php being deployed throughout a number of phishing kits.
This template-based method signifies automated deployment capabilities, permitting the risk actors to quickly scale their operations whereas sustaining operational continuity even when particular person URLs are compromised or blocked.
Equip your SOC with full entry to the most recent risk knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
