← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Z2FA_LTS: A Sidewinder APT Phishing Kit Developer Burns Their Linux Username in an Express.js Stack Trace.
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
6
IOCs
LOW VOLUME
The Z2FA_LTS phishing kit represents a sophisticated cyber threat associated with the Sidewinder APT, targeting governmental entities in South Asia, including the Bangladesh Navy and Pakistan's Ministry of Foreign Affairs. The phishing operation leverages a polished Zimbra webmail clone, designed to harvest user credentials through a highly deceptive interface. The kit's architecture includes server-rendered pages using Express.js, deploying on Cloudflare Workers, which has proven effective for evading detection.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchcloudflareworkerbangladesh navyaprilpakistanpakistanipdf viewerzimbra loginzimbra cloneministryzimbraexpressistanbulfebruarysidewinderharmonyassemblyshahphishingwaterhydra
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (1 / 6 total)
All FileHash-MD5 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 aa82f6397face56f9c8500e81b3ce487b661b99ee1865f1a5ec6f6da9b261cf1 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/sidewinder-z2fa-lts-moincox-bangladesh-navy-pakistan-mofa-opsec-burn