A The SideWinder threat group has initiated a sophisticated phishing campaign aimed at government organizations in South Asia. This campaign, active since February 2026, specifically targets entities such as the Bangladesh Navy and Pakistan's Ministry of Foreign Affairs. The attackers employ a fake Chrome PDF viewer and a cloned Zimbra email login portal to deceive victims and steal their credentials.
The phishing attack begins with a spearphishing link sent to targeted individuals. Upon clicking the link, victims are directed to a page mimicking Google Chrome's PDF viewer, using a phishing kit named Z2FA_LTS. This kit employs PDF.js to render a blurred version of a stolen Pakistani government document, which serves as a lure. After a brief delay, victims are redirected to a fake Zimbra login page that closely resembles the legitimate Bangladesh Navy mail server, enhancing the deception.
Technical analysis reveals that the phishing kit is a server-rendered Express.js application deployed on Cloudflare Workers. The fake Zimbra login page uses real CSS stylesheets from the legitimate server, making it visually indistinguishable. The credential harvester employs tactics such as displaying persistent error messages and requiring double credential submissions to maximize data collection. Each interaction generates a unique CSRF token, indicating robust server-side session management.
The impact of this campaign is significant, as it targets sensitive government organizations and exploits stolen diplomatic communications. The use of real document lures and convincing login page clones increases the likelihood of successful credential theft. The campaign’s operational security lapse, revealing the developer’s username and project details, provides additional insights into the threat actor’s methods.
Affected organizations should take immediate action by rotating all credentials for compromised accounts and notifying cybersecurity teams. The Bangladesh Navy and Pakistan’s NTISB should be alerted to the ongoing threats, and the phishing Worker should be reported to Cloudflare Trust and Safety. Monitoring for new phishing subdomains and patterns similar to the current campaign is essential to mitigate further risks.
Source: https://intel.breakglass.tech/post/sidewinder-z2fa-lts-moincox-bangladesh-navy-pakistan-mofa-opsec-burn