APT SideWinder Launches Sophisticated Phishing Campaign Against South Asian Governments
APT SideWinder, a state-backed cyber threat actor, has been conducting a sophisticated phishing campaign since August 2025. The operation targets government and military personnel in South Asia, employing advanced techniques to evade detection and gain access to restricted networks.
The campaign uses maritime and defense-themed lure documents to trick targets into entering their credentials. These documents, such as a PDF titled 'सम्माननीय प्रधानमन्त्रीज्यूको चीन भ्रमण सम्बन्धमा.pdf', lead victims to counterfeit login pages mimicking legitimate webmail services like Outlook and Zimbra.
Stolen credentials are used to facilitate broader espionage workflows and access restricted networks or deploy follow-on malware. The malware employed in the campaign encodes victims' emails in Base64 and uses session tracking and obfuscation techniques. Free hosting platforms like Netlify, pages.dev, and workers.dev are exploited to serve these phishing pages, making it difficult to block the domains. SideWinder rapidly redeploys once URLs are taken down, demonstrating their ability to evade simple domain-based blocks.
Many phishing pages spoof the Directorate General of Defense Purchases (DGDP) in Bangladesh, offering 'Secured File' portals. The campaign has seen rapid domain churn, with new phishing sites appearing every three to five days. Between August and October 2025, several states in South Asia have been affected, although specific targeted institutions remain unidentified.
APT SideWinder's phishing campaign highlights the evolving tactics of state-sponsored threat actors. Their use of trusted platforms, rapid domain churn, and advanced malware techniques make detection and prevention challenging. As the campaign continues, it is crucial for targeted institutions to remain vigilant and implement robust cybersecurity measures.
