A sophisticated cyber threat group known as SideWinder has initiated a targeted phishing operation against government entities in South Asia. This campaign employs a deceptive Chrome PDF viewer and an exact replica of the Zimbra email login interface to illegally obtain employee login details.
Phishing Campaign Details
Active since February 2026, this malicious effort has focused on significant institutions such as the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs, among others. The attack strategy begins when a victim clicks on a spearphishing link, leading them to a page mimicking Google Chrome’s native PDF viewer.
The phishing tool, named Z2FA_LTS, uses PDF.js version 2.16.105 to create a realistic fake viewer, complete with standard toolbar functionalities. The document shown is an actual, but unreadable, diplomatic cable from Pakistan concerning the 152nd IPU Assembly in Istanbul. The page automatically redirects after a short delay, advancing the attack sequence.
Mechanisms of the Attack
Research by Breakglass Intelligence uncovered the phishing toolkit after a Cloudflare Workers URL hosting a Zimbra credential stealing script was identified. This script was specifically targeting Bangladesh Navy’s mail portal, mail.navy.mil.bd. Subsequent analysis revealed seven distinct phishing tools across two Cloudflare accounts targeting various organizations.
Several researchers, including @Huntio and @malwrhunterteam, verified the attribution to SideWinder. A critical operational security error by the developers exposed a full system path, uncovering the username “moincox” and the internal project code “Z2FA_LTS,” suggesting the existence of multiple versions of this phishing tool.
Preventive Measures and Recommendations
The Z2FA_LTS phishing kit is strategically crafted to deceive users at every step. After encountering the blurred PDF, victims face a fake Zimbra loading screen that closely resembles the genuine Bangladesh Navy email server. The login page further tricks users into re-entering credentials, collecting sensitive information.
Security teams are advised to take immediate action. The Bangladesh Navy should update all mail.navy.mil.bd passwords, and notify BGD e-GOV CIRT at [email protected]. Additionally, Pakistan’s NTISB should be informed of the leaked diplomatic data. Cloudflare should be alerted about malicious Workers subdomains, and organizations are encouraged to monitor for similar patterns of attacks.
Continuous vigilance and proactive measures are crucial in combating such sophisticated cyber threats. Stay informed by following us on Google News, LinkedIn, and X for more updates.
