Twenty Nodes, Eight Platforms, and a Password Stolen Twice: SideWinders PaaS-Hopping Campaign Against South Asian Defense
SideWinder abuses Zeabur, Leapcell, Railway, Cloudflare Workers, Replit, and Back4App to target 7 military and government organizations with a dual credential harvest
SideWinder doesn't use traditional hosting anymore. Across twenty infrastructure nodes, the Indian APT group abused eight legitimate Platform-as-a-Service providers — Zeabur, Leapcell, Railway, Cloudflare Workers, Replit, Back4App, short.gy, and tinyurl.cx — to build a credential harvesting operation targeting seven South Asian military and government organizations over five months.
We've published two prior SideWinder investigations this week: the Azerbaijan-Russia diplomatic campaign via defence-np[.]net, and the WarMachine/MALDEV01 CVE-2026-21509 exploit chain targeting Pakistani civilian government. This third investigation, triggered by @volrant136 (Hunt.io), reveals a parallel operation targeting defense contractors and military services — and a technique we haven't seen before: stealing the same victim's password twice.
The Double Harvest
The phishing page at contract-agreement-with-staff[.]zeabur[.]app doesn't just steal one set of credentials. The attack chain has five stages:
- PDF lure — a defense/engineering-themed document preview
- Loading spinner with timed redirect delays
- First credential theft — a Zimbra webmail clone impersonating Bangladesh Navy
- Second credential theft — a Zimbra clone impersonating Pakistan Air Force
- Final redirect to a legitimate-looking PDF
The victim enters their password at step 3, sees an error, and enters it again at step 4 — but these are two different credential harvesting pages impersonating two different organizations. The actor is targeting individuals who have email accounts at multiple military services. A defense contractor liaison, a joint exercise coordinator, an attaché — someone whose work spans both Bangladesh and Pakistani military communications.
The Confirmed Victim
A URLScan capture from November 2025 preserved a URL with a base64-encoded parameter. Decoded: pgcoord-251@margallahil[.]com — a project coordinator at Margalla Heavy Industries Limited (MHIL).
MHIL is a Pakistani defense company operating from the Margalla Hills area, involved in heavy engineering for military applications. A project coordinator at this company would have communications with multiple military procurement offices — exactly the kind of cross-organizational access the dual-harvest technique is designed to exploit.
Eight Platforms, Zero Traditional Hosting
| Platform | Nodes | Purpose |
|---|---|---|
| Zeabur | 7 | Primary phishing hosting |
| Leapcell | 5 | Secondary phishing hosting |
| Railway | 3 | Credential collection backend |
| Cloudflare Workers | 2 | Redirectors |
| Replit | 1 | Testing/staging |
| Back4App | 1 | Backend service |
| short.gy | — | URL shortening |
| tinyurl.cx | — | URL shortening |
Every node runs on a legitimate PaaS provider's free tier. No VPS provisioning. No domain registration (most use .zeabur.app, .leapcell.dev, .railway.app subdomains). No infrastructure to be "taken down" in the traditional sense — the attacker creates a new free-tier project in minutes when one is reported.
This is the infrastructure equivalent of living off the land. SideWinder isn't buying servers; they're borrowing platforms.
Seven Targets
| Organization | Country | Sector |
|---|---|---|
| Margalla Heavy Industries (MHIL) | Pakistan | Defense contractor |
| Pakistan Air Force | Pakistan | Military |
| Bangladesh Navy | Bangladesh | Military |
| Nayatel | Pakistan | Telecom/ISP |
| Bangladesh Computer Council | Bangladesh | Government IT |
| NTC Pakistan | Pakistan | Telecom |
| International Relations (unidentified) | Unknown | Diplomacy |
The targeting spans Pakistan and Bangladesh military and government entities. Combined with our earlier findings — Azerbaijan-Russia diplomatic targeting, Indian civilian government targeting — SideWinder's 2026 operational scope now covers diplomacy, civilian government, military, defense industry, and telecommunications across at least four countries.
The Reused Parameter
Every single phishing URL across all twenty nodes uses the same query parameter:
?gfjdliotrgojnghgherbegrehureert0e0ee=1
This 35-character string has been used unchanged for five months. It's a campaign identifier or anti-analysis flag — and it's a trivial detection signature. Any proxy log or DNS query containing this parameter is SideWinder activity.
Still Live
Two Zeabur-hosted phishing sites remain active:
contract-agreement-with-staff[.]zeabur[.]app(MHIL campaign)zimbramail-nayatel-com[.]zeabur[.]app(Nayatel campaign)
Detection
Four YARA rules and nine Suricata signatures covering the Zeabur/Leapcell/Railway phishing patterns, the dual-harvest Zimbra clones, and the reused parameter fingerprint are available on our GitHub:
Twenty nodes. Eight platforms. Seven targets. One parameter reused for five months. Investigation conducted autonomously by GHOST -- Breakglass Intelligence.
h/t @volrant136 and @Huntio for the initial tip. Add @volrant136 to the watch list.