SideWinder uses fake Chrome PDF viewer and Zimbra clone to steal government webmail credentials
6 min. read 
Published on
A SideWinder-linked phishing campaign is using a fake Chrome PDF viewer and a polished Zimbra webmail clone to steal credentials from government and defense targets in South Asia. Breakglass Intelligence says the campaign has been active since at least February 2026 and has targeted organizations including Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs.
The attack works because the first page looks familiar and low-risk. Victims land on a page that imitates Chrome’s built-in PDF viewer, complete with toolbar controls and a blurred document that looks official, then get redirected into a Zimbra login flow that closely matches the real target environment.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That makes the campaign more dangerous than a simple fake login page. The phishing chain uses a believable document lure, real styling pulled from target infrastructure, and a second login attempt flow designed to squeeze more credentials out of each victim.
How the phishing chain works
Breakglass says the first stage uses PDF.js 2.16.105 to render a fake Chrome PDF viewer. The displayed file is a real stolen Pakistani diplomatic cable tied to the 152nd IPU Assembly in Istanbul, but the page blurs the content so the target cannot read it clearly before the automatic redirect kicks in after about five seconds.
After that, the victim reaches a fake Zimbra loading page and then a Zimbra Harmony login clone. Breakglass says the kit pulls real CSS from the legitimate Bangladesh Navy mail server and reverse-proxies static assets such as stylesheets and favicons through the attacker’s Worker path, which makes the page look almost identical to the real portal.
The credential harvester then pushes the victim toward a second submission. Breakglass says the page keeps an error banner visible, re-renders the form with the username prefilled after submission, and prompts the target to enter the password again, increasing the chance of clean credential capture.
What investigators found
One of the strongest clues came from an operational mistake. Breakglass says a malformed POST request triggered a 500 error that exposed a full Express.js stack trace, including the path /home/moincox/Z2FA_LTS/app.js. That leak revealed the developer username moincox and the internal kit name Z2FA_LTS, which Breakglass expands as “Zimbra 2FA Long-Term Support.”
The same report says the kit runs as a server-rendered Express.js application with express-session, rotating CSRF tokens, and a typical connect.sid session cookie. Those details suggest a maintained phishing framework rather than a one-off lure page.
Breakglass also says URLScan history mapped seven distinct Cloudflare Workers across two Cloudflare accounts over roughly three months. The targets went beyond Bangladesh Navy and included Pakistan’s Ministry of Foreign Affairs, Nayatel, Bangladesh Computer Council, and iCloud-themed lures.
Why the campaign stands out
This campaign shows how SideWinder keeps reusing legitimate cloud and developer platforms to blend into normal traffic. Breakglass says the current infrastructure sits on Cloudflare Workers and follows an earlier account migration, while the same operator pattern previously stretched across Zeabur, Leapcell, Railway, Replit, Back4App, and other providers.
The lure quality also matters. Using a real stolen diplomatic cable makes the attack more credible for government users, especially when the target already expects official PDFs and Zimbra login prompts in daily work. That fit between lure and target likely explains why SideWinder keeps using document-heavy, institution-specific phishing in the region. This is an inference based on Breakglass’s description of the stolen cable and the named government targets.
Another important point is visibility. Because the phishing chain lives on workers.dev, defenders may initially see only a trusted cloud platform domain rather than an obviously malicious host. Security teams therefore need to look beyond the base domain and inspect the full subdomain, page behavior, and redirect chain. This is an inference supported by the campaign’s use of Cloudflare Workers subdomains and cloned government webmail pages.
At a glance
| Element | What investigators saw | Why it matters |
|---|---|---|
| Initial lure | Fake Chrome PDF viewer built with PDF.js | Lowers suspicion and fits government workflows |
| Document used | Real stolen Pakistani diplomatic cable | Makes the lure more believable |
| Credential theft page | Pixel-close Zimbra Harmony clone | Helps capture webmail credentials |
| Hosting | Cloudflare Workers | Lets the attacker blend into normal cloud traffic |
| Backend | Express.js with sessions and CSRF tokens | Suggests a maintained phishing platform |
| Notable leak | /home/moincox/Z2FA_LTS/app.js | Exposed internal project name and developer handle |
Supported by Breakglass’s published analysis.
What organizations should do now
Organizations that use Zimbra or similar webmail systems should treat any login page hosted on generic cloud subdomains as suspicious, even if the page looks accurate. Users should verify the exact domain before entering credentials, and security teams should monitor for traffic to unexpected workers.dev subdomains tied to document previews or webmail prompts.
Bangladesh-facing defenders should consider immediate incident review for any users tied to the targeted mail.navy.mil.bd environment. Breakglass recommended rapid credential rotation for affected users and said the active worker should be reported to Cloudflare.
Teams should also watch for the broader pattern, not just one domain. Breakglass says the actor has already rotated from one Workers account to another while keeping the same Express.js and Zimbra clone approach, which means blocking one URL alone will not solve the problem.
Recommended actions
- Rotate credentials for any users who may have visited the phishing flow or entered passwords into suspicious Zimbra pages.
- Block and investigate suspicious
workers.devsubdomains tied to fake document preview or webmail pages. - Monitor for cloned Zimbra pages that pull real stylesheets or assets from legitimate mail servers.
- Alert users that a blurred PDF viewer followed by a second login prompt is part of the known attack chain.
- Report active phishing infrastructure through Cloudflare’s official abuse reporting process.
FAQ
Breakglass attributes the campaign to SideWinder, and the report says multiple independent researchers supported that attribution.
It is the internal project name exposed in the phishing kit’s stack trace. Breakglass says it likely stands for “Zimbra 2FA Long-Term Support.”
Because it makes the lure look routine. The victim sees what looks like a normal document preview before the redirect into the credential theft stage.
Because the phishing kit ran on workers.dev subdomains, which can help attacker-hosted pages blend into legitimate cloud traffic and slow casual detection.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages