SideWinder APT Targets Nepal, Afghanistan in Wide-Ranging Spy Campaign
#1
Information 
Quote:The SideWinder advanced persistent threat (APT) group has mounted a fresh phishing and malware initiative, using recent territory disputes between China, India, Nepal and Pakistan as lures. The goal is to gather sensitive information from its targets, mainly located in Nepal and Afghanistan.
 
According to an analysis, SideWinder typically targets victims in South Asia and surroundings – and this latest campaign is no exception. The targets here include multiple government and military units for countries in the region researchers said, including the Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan and more.

The effort mainly makes use of legitimate-looking webmail login pages, aimed at harvesting credentials. Researchers from Trend Micro said that these pages were copied from their victims’ actual webmail login pages and subsequently modified for phishing. For example, “mail-nepalgovnp[.]duckdns[.]org” was created to pretend to be the actual Nepal government’s domain, “mail[.]nepal[.]gov[.]np”.
 
Interestingly, after credentials are siphoned off and the users “log in,” they are either sent to the legitimate login pages; or, they are redirected to different documents or news pages, related either to COVID-19 or political fodder.
 
Researchers said some of the pages include a May article entitled “India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” and a document called “Ambassador Yanchi Conversation with Nepali_Media.pdf,” which provides an interview with China’s ambassador to Nepal regarding Covid-19, the Belt and Road Initiative, and territorial issues in the Humla district.
 
The campaign also includes a malware element, with malicious documents delivered via email that are bent on installing a cyberespionage-aimed backdoor. And, there was evidence that the group is planning a mobile launch to compromise wireless devices.
 
“We identified a server used to deliver a malicious .lnk file and host multiple credential-phishing pages,” wrote researchers, in a Wednesday posting. “We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit.”

Read more: https://threatpost.com/sidewinder-apt-ne...gn/162086/
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Malwarebytes 5.2.10.182
Malwarebytes 5.2.1...Mohammad.Poorya — 16:46
Microsoft Defender Antivirus security in...
Microsoft Defender...harlan4096 — 13:44
AnyDesk 6.4.3 for Linux
AnyDesk 6.4.3 for ...harlan4096 — 09:51
AnyDesk 9.5.0 for Windows
AnyDesk 9.5.0 for ...harlan4096 — 09:51
Notepad++ v8.7.9 released 2025-04-02
Notepad++ v8.7.9 r...harlan4096 — 09:49

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (44)wapedDow
avatar (48)oapedDow
avatar (41)Sanchowogy
avatar (45)MeighGoask
avatar (46)creatralGuelm
avatar (37)procnipsut
avatar (43)accenwibly
avatar (40)ahyvily
avatar (37)urumahiz
avatar (43)techlignub
avatar (42)Stevenmam
avatar (49)onlinbah
avatar (49)fuspeukChark
avatar (43)werriewWaiNg
avatar (37)Freemanleo
avatar (42)cdoubapKit
avatar (37)lystraPonia
avatar (30)smith8395john
avatar (50)steakelask
avatar (44)Termoplenka
avatar (42)bycoPaist
avatar (48)pieloKat
avatar (42)ilyagNeexy
avatar (50)donitascene
avatar (50)burntLaw
avatar (40)MrDoorsskibheeds
avatar (50)Toligo
avatar (45)Rodneykak
avatar (48)tradeSmode
avatar (38)vemedProkbior
avatar (37)RobertUtelt
avatar (45)JamesZic
avatar (42)Sanfordbup
avatar (37)Der.Reisende

[-]
Online Staff
There are no staff members currently online.

>