SideWinder APT Launches Operation SouthNet, Weaponizing Netlify and Pages.dev for Espionage

A new report from Hunt Intelligence reveals that APT SideWinder — one of South Asia’s most active and persistent state-sponsored threat actors — has launched an extensive cyber-espionage campaign dubbed “Operation SouthNet.” The operation demonstrates the group’s adaptive tradecraft, focusing on credential theft, infrastructure recycling, and maritime-sector espionage across Pakistan, Sri Lanka, Nepal, Bangladesh, and Myanmar.

According to the report, “over 50+ malicious domains [were] uncovered across Netlify, pages.dev, workers.dev, and b4a.run, hosting fake Outlook/Zimbra portals and credential harvesting pages.” These malicious domains were designed to mimic legitimate government and defense email portals, tricking users into revealing sensitive credentials. The operation’s scale underscores SideWinder’s reliance on free hosting platforms to quickly deploy and rotate phishing infrastructure — a tactic that enables high-frequency pivots every few days.

Hunt’s telemetry shows that Pakistan and Sri Lanka remain at the core of the campaign, with Pakistan accounting for 40% of the identified malicious domains. The lure themes are particularly telling — “ministerial committees, bilateral visits, and defense procurements” — suggesting that the attackers are primarily targeting government, military, and maritime entities.

In Nepal, SideWinder has deployed sophisticated phishing kits masquerading as official government portals. One of the sites, “mall-ministryoffinance-np.netlify.app,” hosted a fake Outlook login page embedding a lure document titled “Honorable Prime Minister’s Visit to China.” Hunt.io confirmed that credentials entered into these portals were “exfiltrated to drive-nepal-gov[.]com/document/docu.php,” revealing a network of credential-stealing servers targeting Nepali officials.

Bangladesh was also targeted through counterfeit DGDP “Secured File” portals hosted on Netlify, impersonating the Directorate General of Defense Purchases. The fraudulent portals requested login details under the guise of “accessing Turkish defense equipment files,” extending the espionage effort into defense procurement networks.

The campaign’s expansion into Myanmar saw the Central Bank of Myanmar (CBM) targeted via a fake Zimbra Webmail login hosted on Cloudflare’s pages.dev service. Stolen credentials were funneled to “myanmar-org-mail[.]com,” a malicious domain tied to SideWinder’s legacy command-and-control (C2) infrastructure. The report notes that domains such as govmm[.]org, govnp[.]org, and andc[.]govaf[.]org were reused — evidence of SideWinder’s long-term infrastructure recycling to evade attribution.

Pakistan’s Space & Upper Atmosphere Research Commission (SUPARCO) and National Telecom Corporation (NTC) have become prime targets. Hunt identified phishing portals like “owa-suparco-gov-pk-owa-autho.pages.dev,” which cloned official Outlook Web App login screens to harvest credentials. The JavaScript logic embedded within these portals encoded victim email addresses in Base64 for session tracking — an advanced tactic for managing multiple simultaneous victims.

A parallel operation impersonated Pakistan’s Board of Investment (BOI) and National Assembly, distributing fake “meeting notices” and redirecting victims to fraudulent NTC login portals. The attackers exfiltrated credentials to technologysupport[.]help, an exfiltration domain observed across multiple Zimbra and Outlook phishing kits.

The campaign’s most striking evolution lies in its maritime espionage focus. Hunt.io analysts discovered open directories hosted on “gwadarport.ddns.net” and “colombo-port.ddns.net,” containing weaponized lure documents titled “Navy Operational Highlights 2025.zip” and “Incident Report Gwadar Port Complex.pdf.exe.” These findings confirm that APT SideWinder has “pivoted toward targeting Pakistan and Sri Lanka’s marine sectors” through C2 persistence and document-based social engineering.

While South Asia remains the primary theater, Hunt also documented spillover activity in Singapore. Three phishing portals — “momgovsg[.]net,” “mom.gov-sg[.]online,” and “momgovsg[.]info” — were found impersonating the Ministry of Manpower (MOM) to steal credentials. Though attribution is not yet conclusive, the infrastructure and naming patterns “align with previously observed SideWinder campaigns,” suggesting potential expansion beyond the group’s traditional boundaries.

Related Posts:

• SideWinder APT Group: Maritime & Nuclear Targets, Evolved Malware
• Pakistan bans financial institutions from participating in cryptocurrency transactions
• Pakistan Under Cyberattack: Unmasking the Blue Locker Ransomware Campaign
• Microsoft Shuts Down Pakistan Office After 25 Years, Citing Global Restructuring
• Hacktivists Launch Coordinated Attacks on India’s Infrastructure