SideWinder Uses Fake Chrome PDF Viewer and Zimbra Clone to Steal Government Webmail Credentials

A well-known advanced persistent threat group called SideWinder has launched a highly targeted phishing campaign against South Asian government organizations, using a fake Chrome PDF viewer and a pixel-perfect clone of the Zimbra email login portal to steal employee credentials.

The campaign, active since at least February 2026, has been targeting sensitive institutions including Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and several other defense and government bodies across the region.

The attack begins with a spearphishing link sent to targeted individuals. When a victim opens the link, they land on a page that looks exactly like Google Chrome’s built-in PDF viewer.

The phishing kit, internally named Z2FA_LTS, uses PDF.js version 2.16.105 to render this fake viewer, complete with toolbar controls for zoom, print, page navigation, and download.

The displayed document is a real, stolen Pakistani government diplomatic cable related to the 152nd IPU Assembly in Istanbul, but it is intentionally blurred so the victim cannot read it. After five seconds, the page automatically redirects the victim to the next stage of the attack.

Breakglass Intelligence analysts identified the phishing kit after researcher @volrant136 flagged a Cloudflare Workers URL hosting a Zimbra credential harvester pointing at Bangladesh Navy’s webmail portal, mail.navy.mil.bd.

Through URLScan analysis, researchers mapped 7 distinct phishing Workers deployed across two Cloudflare accounts over a three-month period, targeting Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, iCloud users, Nayatel, and the Bangladesh Computer Council.

Multiple independent researchers including @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam confirmed the attribution to SideWinder.

One critical detail revealed during the investigation was a significant operational security failure by the kit developer. When analysts sent a POST request without the expected query parameter, the server returned a 500 error exposing a full Express.js stack trace.

The leaked path “/home/moincox/Z2FA_LTS/app.js” revealed the developer’s Linux username “moincox” and the internal project name Z2FA_LTS, which stands for “Zimbra 2FA Long-Term Support.”

The “LTS” label suggests that the developer maintains multiple version branches of this phishing kit. The developer handle moincox returned no results on GitHub, npm, or major code hosting platforms.

How the Infection Mechanism Works

The Z2FA_LTS phishing kit is a server-rendered Express.js application deployed on Cloudflare Workers, and its infection chain is carefully designed to look convincing at every step.

After the victim sees the blurred PDF, they are redirected to a fake Zimbra loading splash screen that pulls real CSS stylesheets directly from the legitimate Bangladesh Navy mail server, making the page visually indistinguishable from the real one.

The victim is then sent to a Zimbra Harmony skin login clone, where all static assets including favicons and stylesheets are reverse-proxied from the real server through the phishing Worker’s “/proxy/” path.

The credential harvester injects two script behaviors into the page. First, it forces an error message to stay visible that reads “Your session has expired. Please login again to continue,” which pushes the victim to log in again.

Second, after the victim submits their credentials, the server re-renders the login page with their username already filled in, making them believe the login attempt failed and prompting them to re-enter their password.

This double-submission tactic maximizes the number of credentials collected per victim. Each page load also generates a unique rotating CSRF token using express-session, confirming that the kit operates with full server-side session management.

Security teams and affected organizations should take several immediate steps. Bangladesh Navy should rotate all credentials for mail.navy.mil.bd users without delay, and BGD e-GOV CIRT should be notified at [email protected] about the active credential harvesting operation.

Pakistan’s NTISB should also be alerted regarding the leaked diplomatic communications used as lures. The phishing Worker at twilight-violet-55a5.malik-jaani786.workers.dev should be reported to Cloudflare Trust and Safety.

Organizations should block all subdomains under malik-jaani786.workers.dev and monitor URLScan for new Workers subdomains from the same account.

Security teams should also watch for new Cloudflare Workers accounts that use the same Express.js plus Zimbra clone pattern, as the threat actor has already rotated accounts once from girlfriendparty42.workers.dev to malik-jaani786.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.