The Invisible Navy: SideWinder’s New Cloud-Based Strategy for Striking South Asian Defense Forces

The SideWinder threat actor has markedly pivoted its strategic methodology, forsaking traditional infrastructure in favor of a clandestine approach. Rather than leasing dedicated servers, the group has orchestrated an expansive operation leveraging legitimate cloud platforms to masquerade as benign services. This shift has facilitated covert incursions into military and governmental entities across South Asia while ensuring a minimal forensic footprint.

According to analysis by Breakglass Intelligence, the recent campaign spanned twenty distinct nodes and eight Platform-as-a-Service (PaaS) providers—including Zeabur, Leapcell, Railway, Cloudflare Workers, Replit, and Back4App—supplemented by link-shortening services such as short.gy and tinyurl.cx. By exploiting free-tier subscriptions and eschewing custom domains, the adversaries achieved remarkable agility; when a single node was neutralized, a replacement was instantaneously deployed, complicating defensive countermeasures.

The hallmark of this operation is a dual-layered credential harvesting stratagem. The assault initiated with a deceptive PDF bait concerning defense procurement contracts. Upon engagement, victims were subjected to a delayed redirection, eventually arriving at a fraudulent Zimbra webmail portal tailored to mimic the Bangladesh Navy. Following an initial password entry, a simulated error redirected the user to a secondary interface—this one impersonating the Pakistan Air Force. Consequently, a single credential was submitted twice, captured by distinct data collection forms.

This scenario was specifically engineered to exploit personnel interacting with multiple military echelons. The target demographic encompassed defense contractors, telecommunications firms, and state institutions in Pakistan and Bangladesh. Confirmed casualties include a project coordinator from Margalla Heavy Industries, a firm deeply integrated into military manufacturing.

A recurring 35-character parameter within the phishing URLs garnered particular scrutiny. This string remained static for five months, serving as a reliable heuristic for identifying the group’s activity. Despite the dissemination of these findings, portions of the infrastructure persist; at least two phishing sites hosted on Zeabur remain operational, continuing their illicit data collection.

Analysts posit that SideWinder has effectively transitioned to a “Living off the Land” (LotL) model, utilizing reputable cloud ecosystems in lieu of proprietary infrastructure. This evolution not only diminishes the operational costs of their campaigns but also significantly raises the bar for mitigation, as total disruption necessitates coordinated intervention across a myriad of service providers.