← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia.
WHITE PetrP.73 2025-10-03 Modified: 2025-11-02
147
IOCs
HIGH VOLUME
Operation SouthNet, attributed to the SideWinder threat actor, has seen an extensive escalation of phishing and malware activities throughout South Asia. Analysis revealed over 50 malicious domains used for hosting fake Outlook and Zimbra portals aimed at credential harvesting. The campaign has been diversified across five countries, with Pakistan comprising approximately 40% of the identified domains. Techniques employed include the distribution of weaponized documents themed around governmental affairs, underscoring the targeting of sensitive sectors. The operation was operational in August 2025, and it specifically aimed at government and defense organizations across Nepal, Bangladesh, and Turkey. SideWinder leveraged free hosting platforms such as Netlify and http://pages.dev to deploy its phishing infrastructure.
nepalpakistanministrysidewindersri lankaapt sidewindersouth asiabangladeshphishingzimbrawavedemonassemblydefenseenergyandroidsectorrapidcredential theft
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Credential Theft
Indicators of Compromise (147)
All FileHash-MD5 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 00603c207062e8f8576225067a7c5269 2025-10-03
FileHash-MD5 00c1ecc716c9206964b50529661fee7c 2025-10-03
FileHash-MD5 04acac204ff3fbd18115982478adb7e5 2025-10-03
FileHash-MD5 13e321fed4903d136f19ad54b885650b 2025-10-03
FileHash-MD5 487da072770a77a568cb43b7a5f9cdcd 2025-10-03
FileHash-MD5 5b4eebe67765339f2a4ef7f0cc1d4f44 2025-10-03
FileHash-MD5 776f305796709f2d567e6868feaba274 2025-10-03
FileHash-MD5 799b9aa10e223b13577f9685c7808280 2025-10-03
FileHash-MD5 7a6723cea87ba7c098f022ad92abf865 2025-10-03
FileHash-MD5 80b8048876db5af4578a6ad9690e2bfa 2025-10-03
FileHash-MD5 b6fb42a8ff8ea93addf1c3a99abfe10a 2025-10-03
FileHash-MD5 bc5543b39d89cda6832706948945f567 2025-10-03
FileHash-MD5 c1a5863ad6f31ecc1a9079927c69cbf2 2025-10-03
FileHash-MD5 e57860d18607667ca76a5046b97976c3 2025-10-03
FileHash-MD5 f3081479986fee38211b28247b185d65 2025-10-03
URL http://5.255.113.9/translateapp/Dell_YGN/processtext.php. 2025-10-03
URL http://doc-ye9wbezc.b4a.run/ 2025-10-03
URL http://drive-nepal-gov.com/document/docu.php 2025-10-03
URL http://gwadarport.ddns.net:9090 2025-10-03
URL http://mail.cbm.gov.mm/ 2025-10-03
URL http://mofagovnp-bm46fjwo.b4a.run/ 2025-10-03
URL http://myanmar-org-mail.com/cbm/action.php 2025-10-03
URL http://ntc-06gd0upz.b4a.run/login 2025-10-03
URL http://ntc-06gd0upz.b4a.run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1 2025-10-03
URL http://posta-nhq43i6x.b4a.run/login 2025-10-03
URL http://posta-nhq43i6x.b4a.run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1 2025-10-03
URL http://secure-ntc.net/Advisory/NTC/2025/05/hit.gov.pk/ 2025-10-03
URL http://technologysupport.help/1pac.php 2025-10-03
URL http://technologysupport.help/renderer.php 2025-10-03
URL http://technologysupport.help/renderer.php. 2025-10-03
URL http://viewpdfonline-1wgtaeus.b4a.run/ 2025-10-03
URL http://webservermail-g2689far.b4a.run/login 2025-10-03
URL http://webservermail-g2689far.b4a.run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1 2025-10-03
URL http://webservermail-g2689far.b4a.run/login/?jcvjeijnasdncadasdbfdfurhtnbfgbsydbx=1. 2025-10-03
domain drive-nepal-gov.com 2025-10-03
domain govmm.org 2025-10-03
domain govnp.org 2025-10-03
domain momgovsg.info 2025-10-03
domain momgovsg.net 2025-10-03
domain myanmar-org-mail.com 2025-10-03
domain secure-ntc.net 2025-10-03
domain technologysupport.help 2025-10-03
hostname andc.govaf.org 2025-10-03
hostname colombo-port.ddns.net 2025-10-03
hostname doc-ye9wbezc.b4a.run 2025-10-03
hostname gwadarport.ddns.net 2025-10-03
hostname mail.aviation.gov.pk 2025-10-03
hostname mail.cbm.gov.mm 2025-10-03
hostname mofagovnp-bm46fjwo.b4a.run 2025-10-03
hostname mom.gov-sg.online 2025-10-03
hostname ntc-06gd0upz.b4a.run 2025-10-03
hostname posta-nhq43i6x.b4a.run 2025-10-03
hostname themegaprovider.ddns.net 2025-10-03
hostname viewpdfonline-1wgtaeus.b4a.run 2025-10-03
hostname webservermail-g2689far.b4a.run 2025-10-03
URL http://2642476f.na-gov-pk-meeting-pac.pages.dev/?auth= 2025-10-03
URL http://2642476f.na-gov-pk-meeting-pac.pages.dev/?auth=ZGgucnNhQHN1cGFyY28uZ292LnBr 2025-10-03
URL http://autodiscover-paa-gov-pk-auth-logon-aspx.pages.dev/ 2025-10-03
URL http://dgdp-product-details-2025-turkey.netlify.app/ 2025-10-03
URL http://drive-dgdp-gov-bd-confidential-files.netlify.app/ 2025-10-03
URL http://drive-dgdp-gov-bd-files.netlify.app/ 2025-10-03
URL http://drive-nepal-gov-np-files.netlify.app/ 2025-10-03
URL http://gooogle.files-cyber-net-pk.workers.dev/ 2025-10-03
URL http://helpful-national-poilcy-nepla-gov-np.netlify.app/ 2025-10-03
URL http://helpful-national-poilcy-nepla-gov-np.netlify.app/national%20ai%20policy%20draft.html 2025-10-03
URL http://blue-term-c168.gov-pkgov.workers.dev/ 2025-10-03
URL http://maif-piac-aero.gov-pkgov.workers.dev/ 2025-10-03
URL http://mail-mod-gov-pk.pakistan-gov-pk.workers.dev/ 2025-10-03
URL http://mail-modp.gov-pkgov.workers.dev/ 2025-10-03
URL http://mail-ntc-net-pk.gov-pkgov.workers.dev/ 2025-10-03
URL http://mail.pof-gov-pk.workers.dev/ 2025-10-03
URL http://pythonscanner.gov-pkgov.workers.dev/ 2025-10-03
URL http://webmail.cybar-net-pk.workers.dev/ 2025-10-03
URL http://worker-dark-paper-2231.gov-pkgov.workers.dev/ 2025-10-03
URL http://worker-patient-wave-96d1.pakistan-gov-pk.workers.dev/ 2025-10-03
URL http://workermdxxx.naychilin-pk.workers.dev/ 2025-10-03
URL http://www-customs-download-pdf.netlify.app/ 2025-10-03
URL http://www-nepalgovernment-genz-agendapdf.netlify.app/ 2025-10-03
URL http://mail-aviation-gov-pk-pdf.pages.dev/ 2025-10-03
URL http://mail-depo-gov-pk.govtpak.workers.dev/ 2025-10-03
URL http://mail-minfinance-gov-np.netlify.app/ 2025-10-03
URL http://mail-mod-gov-np-download-pdf.netlify.app/ 2025-10-03
URL http://mail-modp-gov-pk.pak-gov-pk.workers.dev/ 2025-10-03
URL http://mail-moha-gov-np-download.netlify.app/ 2025-10-03
URL http://mail-paa-gov-pk.pages.dev/error 2025-10-03
URL http://mail-suparco-gov-pk-owa-auth-logon-aspx.pages.dev/?owasuparcogovpkfowafreason= 2025-10-03
URL http://maill-govtnepal-gov-np.netlify.app/ 2025-10-03
URL http://maill-govttnepal-gov-np.netlify.app/ 2025-10-03
URL http://maill-nepalgv-gov-np.netlify.app/ 2025-10-03
URL http://mall-ministryoffinance-np.netlify.app/ 2025-10-03
URL http://na-gov-pk-meeting-pac.pages.dev/ 2025-10-03
URL http://owa-suparco-gov-pk-logon-aspx.pages.dev/ 2025-10-03
URL http://uploads.ptcl-gov-pk.workers.dev/ 2025-10-03
URL http://verify.mod-defence-lk.workers.dev/ 2025-10-03
URL http://webmail-776f305796709f2d567e6868feaba274-pages-download.pages.dev/1?inbox=Y2hhaXJtYW5Ad2FwZGEuZ292LnBr 2025-10-03
URL http://webmail-hubpower-com-error.pages.dev/login 2025-10-03
URL http://www-foreignaffairs-nepal-com.netlify.app/ 2025-10-03
URL http://www-mofa-nepal-teledirectory-download.netlify.app/ 2025-10-03
URL http://www-moha-gov-np-download.netlify.app/ 2025-10-03
domain workers.dev 2025-10-03
hostname 2642476f.na-gov-pk-meeting-pac.pages.dev 2025-10-03
hostname autodiscover-paa-gov-pk-auth-logon-aspx.pages.dev 2025-10-03
hostname blue-term-c168.gov-pkgov.workers.dev 2025-10-03
hostname dgdp-product-details-2025-turkey.netlify.app 2025-10-03
hostname drive-dgdp-gov-bd-confidential-files.netlify.app 2025-10-03
hostname drive-dgdp-gov-bd-files.netlify.app 2025-10-03
hostname drive-nepal-gov-np-files.netlify.app 2025-10-03
hostname gooogle.files-cyber-net-pk.workers.dev 2025-10-03
hostname helpful-national-poilcy-nepla-gov-np.netlify.app 2025-10-03
hostname maif-piac-aero.gov-pkgov.workers.dev 2025-10-03
hostname mail-776f305796709f2d567e6868feaba274-gov-pk-investment.pages.dev 2025-10-03
hostname mail-aviation-gov-pk-pdf.pages.dev 2025-10-03
hostname mail-depo-gov-pk.govtpak.workers.dev 2025-10-03
hostname mail-minfinance-gov-np.netlify.app 2025-10-03
hostname mail-mod-gov-np-download-pdf.netlify.app 2025-10-03
hostname mail-mod-gov-pk.pakistan-gov-pk.workers.dev 2025-10-03
hostname mail-modp-gov-pk.pak-gov-pk.workers.dev 2025-10-03
hostname mail-modp.gov-pkgov.workers.dev 2025-10-03
hostname mail-moha-gov-np-download.netlify.app 2025-10-03
hostname mail-ntc-net-pk.gov-pkgov.workers.dev 2025-10-03
hostname mail-paa-gov-pk.pages.dev 2025-10-03
hostname mail-suparco-gov-pk-owa-auth-logon-aspx.pages.dev 2025-10-03
hostname mail.pof-gov-pk.workers.dev 2025-10-03
hostname mailcbmgovmm.pages.dev 2025-10-03
hostname maill-govtnepal-gov-np.netlify.app 2025-10-03
hostname maill-govttnepal-gov-np.netlify.app 2025-10-03
hostname maill-nepalgv-gov-np.netlify.app 2025-10-03
hostname mall-ministryoffinance-np.netlify.app 2025-10-03
hostname morning-forest-4fef.ethanhunthero125.workers.dev 2025-10-03
hostname na-gov-pk-meeting-pac.pages.dev 2025-10-03
hostname owa-suparco-gov-pk-logon-aspx.pages.dev 2025-10-03
hostname owa-suparco-gov-pk-owa-autho.pages.dev 2025-10-03
hostname pythonscanner.gov-pkgov.workers.dev 2025-10-03
hostname uploads.ptcl-gov-pk.workers.dev 2025-10-03
hostname verify.mod-defence-lk.workers.dev 2025-10-03
hostname webmail-776f305796709f2d567e6868feaba274-pages-download.pages.dev 2025-10-03
hostname webmail-hubpower-com-error.pages.dev 2025-10-03
hostname webmail.cybar-net-pk.workers.dev 2025-10-03
hostname worker-dark-paper-2231.gov-pkgov.workers.dev 2025-10-03
hostname worker-patient-wave-96d1.pakistan-gov-pk.workers.dev 2025-10-03
hostname workermdxxx.naychilin-pk.workers.dev 2025-10-03
hostname www-customs-download-pdf.netlify.app 2025-10-03
hostname www-foreignaffairs-nepal-com.netlify.app 2025-10-03
hostname www-mofa-nepal-teledirectory-download.netlify.app 2025-10-03
hostname www-moha-gov-np-download.netlify.app 2025-10-03
hostname www-nepalgovernment-genz-agendapdf.netlify.app 2025-10-03
domain hit.gov.pk 2025-10-03
References (1)
↗ https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing