Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

SUMMARY :

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware in open directories. Over 50 malicious domains were uncovered across various platforms, with Pakistan accounting for 40% of the identified domains. The campaign utilizes maritime and port-themed lures to target government and military entities. SideWinder's infrastructure overlaps with legacy C2 assets, indicating recycling across multiple years. The group maintains a high operational tempo, with new phishing domains emerging every 3-5 days.

OPENCTI LABELS :

apt,phishing,south asia,government,military,credential harvesting


AI COMMENTARY :

1. Introduction: APT SideWinder has long been recognized for its focused cyber espionage against government and military targets in South Asia. With the onset of Operation SouthNet, the group has shifted its tactics to intensify phishing and malware deployments specifically against the maritime sector in Pakistan and Sri Lanka. By embedding its attacks within legitimate-looking maritime narratives, SideWinder seeks to exploit trust in port-related communications and infrastructure.

2. Operation SouthNet Overview: Dubbed Operation SouthNet, the campaign deploys a network of over 50 malicious domains hosted on free web platforms. Nearly 40 percent of these domains resolve to Pakistan, underscoring the group’s geographic focus. The lure pages mimic shipping schedules, port notices, and logistics updates to entice recipients into credential-harvesting portals or weaponized lure documents.

3. Phishing and Malware Delivery: Attackers leverage open directories on compromised or free hosting services to stage malware payloads. Targets who click on a maritime-themed link are redirected to a portal that prompts for login credentials or downloads a document containing embedded macros. Once executed, these macros initiate a multi-stage infection chain that exfiltrates harvested credentials and establishes persistence on victim systems.

4. Infrastructure Overlap and Recycling: Analysis of the campaign reveals overlap with legacy command-and-control (C2) infrastructure previously attributed to SideWinder operations. Domains and IP addresses used in Operation SouthNet show continuity with assets in use over several years, indicating the group recycles and repurposes infrastructure to evade detection and maintain a high operational tempo.

5. High Operational Tempo: SideWinder’s rapid domain registration cadence—new phishing domains appearing every three to five days—enables the group to stay ahead of takedown efforts. This continuous churn of infrastructure complicates defender efforts to block or sinkhole malicious sites, increasing the likelihood that at least some campaigns remain active long enough to yield compromised credentials and internal network access.

6. Implications and Mitigation: Governments and maritime organizations in South Asia must remain vigilant against vessel manifests, port advisories, and shipping line communications arriving via unsolicited email. Proactive measures include monitoring free hosting services for impersonating domains, enforcing multi-factor authentication to neutralize credential harvesting, deploying sandbox analysis for suspicious documents, and sharing threat intelligence indicators across maritime and defense sectors to accelerate domain takedowns and C2 disruptions.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia