criticalAPT
SideWinder APT Credential Harvesting Campaign — PaaS Platform Abuse at Scale
InvestigatedApril 5, 2026PublishedApril 5, 2026
Threat Actors:APT-04ProfileAssessment**:
sidewindermhilzeaburrataptphishingcloudflaretor
TLP: WHITE Date: 2026-04-05 Analyst: GHOST (Breakglass Intelligence) Classification: APT (Nation-State Espionage) Investigation ID: BGI-2026-041
Executive Summary
Breakglass Intelligence investigated a SideWinder APT credential harvesting campaign targeting South Asian military and government organizations through systematic abuse of legitimate Platform-as-a-Service (PaaS) providers. Starting from a single phishing URL on Zeabur (a Taiwanese PaaS), we mapped 20 infrastructure nodes across 8 platforms spanning a 5-month campaign (November 2025 to April 2026). The campaign targets Pakistan military, Pakistan telecommunications, and Bangladesh government/military organizations using cloned Zimbra webmail login pages with a sophisticated multi-stage credential harvesting flow that collects victim passwords twice. We identified a confirmed victim email address belonging to a Margalla Heavy Industries Limited (MHIL) project coordinator, decoded directly from a phishing URL parameter. Two phishing sites remain LIVE and actively harvesting credentials as of April 5, 2026.
Key Findings
- 20 infrastructure nodes across Zeabur (7), Leapcell (5), Railway (3), Cloudflare Workers (2), Replit (1), Back4App (1), and URL shorteners (2 services)
- 7 confirmed/high-confidence target organizations: Margalla Heavy Industries (Pakistan defense), Bangladesh Navy, Pakistan Air Force, Nayatel (Pakistan ISP), Bangladesh Computer Council, NTC Pakistan, and an unidentified International Relations entity
- Confirmed victim email decoded:
pgcoord-251@margallahil[.]com(project coordinator at Margalla Heavy Industries) - Dual-harvest attack flow: Credentials stolen TWICE via sequential Zimbra-impersonating login pages with different target branding
- 2 sites LIVE as of analysis date:
contract-agreement-with-staff.zeabur[.]appandzimbramail-nayatel-com.zeabur[.]app - Consistent operational fingerprint: Identical parameter name
gfjdliotrgojnghgherbegrehureert0e0eeacross ALL instances, unique to this campaign - Campaign-specific PDF lures themed around Pakistani defense contracts and technical engineering documents
What Was Found vs. What Was Known
| Aspect | Prior Reporting (@volrant136) | Our Findings |
|---|---|---|
| Infrastructure | 1 URL on Zeabur | 20 nodes across 8 platforms, 5-month timeline |
| Targets | MHIL (implied) | 7 organizations: MHIL, BD Navy, PAF, Nayatel, BCC, NTC, IR entity |
| Victims | Unknown | 1 confirmed victim email decoded from URL |
| Attack Flow | Credential harvester | Multi-stage dual-harvest chain with PDF lure + 2x password theft |
| Live Status | Unknown | 2 sites confirmed LIVE and actively harvesting |
| Platform Abuse | Zeabur only | Zeabur + Leapcell + Railway + CF Workers + Replit + Back4App |
| Campaign Duration | Single point in time | November 2025 through April 2026 (5+ months continuous) |
Attack Chain
[Spearphishing Email]
|
v
[URL Shortener] (short.gy, tinyurl.cx, Replit) <-- disposable redirector
|
v
[Root Page on PaaS] (Zeabur/Railway/Leapcell/CF Workers)
|-- Displays PDF lure document in <object> tag
|-- Auto-redirects to /load.html after 1 second
|
v
[Loading Page] (/load.html)
|-- Shows loading spinner
|-- Redirects to /login.html after 3 seconds
|-- Passes base64-encoded victim email
|
v
[First Credential Harvest] (/login.html) <-- Zimbra clone, Bangladesh Navy branding
|-- Pre-fills victim username from base64 param
|-- "Session Expired" social engineering
|-- POSTs credentials to /submit
|
v
[Server-Side Processing] (/submit)
|-- Stores credentials
|-- Redirects to /login/ with base64 email
|
v
[Second Credential Harvest] (/login/) <-- Zimbra clone, Pakistan Air Force branding
|-- Pre-fills victim email from server
|-- "Wrong password" social engineering
|-- POSTs credentials to /try
|
v
[Final Redirect] (/try)
|-- Redirects to legitimate-looking PDF document
|-- "Contract Agreement with Stall Builder for Fabrication of Pak Pavilion.pdf"
|-- Completes social engineering illusion
Key Insight: The dual-harvest design suggests the actor is targeting victims who may have credentials at MULTIPLE organizations (e.g., military personnel with both Bangladesh Navy and Pakistan Air Force accounts, or defense contractors with access to multiple government mail systems).
Infrastructure Analysis
Platform Abuse Timeline
| Date | Platform | Subdomain | Lure/Target | Status |
|---|---|---|---|---|
| 2025-11-20 | Zeabur | page-view-mail.zeabur[.]app | MHIL (margallahil.com) | DEAD |
| 2025-12-19 | Zeabur | staff-performance-appraisals-nov-2025.zeabur[.]app | HR/Performance review lure | DEAD |
| 2025-12-24 | Zeabur | maill-bcc-gov-bd-pdf.zeabur[.]app | Bangladesh Computer Council | DEAD |
| 2025-12-29 | Zeabur | wqqwysd-qwbeaxsb.zeabur[.]app | Random subdomain | DEAD |
| 2026-01-03 | Back4App | mailscodomain-hubenkks.b4a[.]run | Zimbra generic | DEAD |
| 2026-01-04 | Railway | zimbra-com.up.railway[.]app | Zimbra generic | DEAD |
| 2026-01-06 | Zeabur | site4-map-com.zeabur[.]app | Unknown target | DEAD |
| 2026-01-15 | Leapcell | zimbra10-nml3wp-max8143-3ipio7e5.leapcell[.]dev | Unknown target | DEAD |
| 2026-01-21 | Leapcell | zimbra10-nml3wp-max8143-fn1rsf7l.leapcell[.]dev | Unknown target | DEAD |
| 2026-01-30 | Leapcell | zimbra10-internationalrelation40-beep5751.leapcell[.]dev | International Relations entity | DEAD |
| 2026-02-05 | Railway | mail-zimbra-com.up.railway[.]app | Zimbra generic | DEAD |
| 2026-02-26 | Railway | openthesubjectfile.up.railway[.]app | Document-themed | DEAD |
| 2026-03-09 | Leapcell | zimbramail-nayatel.leapcell[.]app | Nayatel (Pakistan ISP) | DEAD |
| 2026-03-10 | Leapcell | zimbramail-nayatel-gov.leapcell[.]app | Nayatel (gov variant) | DEAD |
| 2026-03-11 | CF Workers | royal-field-9144.girlfriendparty42.workers[.]dev | Zimbra phishing | DEAD |
| 2026-03-25 | CF Workers | zimramail-nayatel.girlfriendparty42.workers[.]dev | Nayatel (typo variant) | DEAD |
| 2026-03-25 | Replit | neshortfile-showsopen-1--itdtegso2bd.replit[.]app | URL redirector | DEAD |
| 2026-03-30 | Zeabur | contract-agreement-with-staff.zeabur[.]app | Pak Pavilion / MHIL | LIVE |
| 2026-03-31 | Zeabur | zimbramail-nayatel-com.zeabur[.]app | Nayatel (Pakistan ISP) | LIVE |
URL Shortener Layer
| Service | Short URL | Redirects To | Date |
|---|---|---|---|
| short.gy | iqwlwj.short[.]gy/Y5qMhQ | Zeabur phishing | 2026-01-07 |
| short.gy | mzrakq.short[.]gy/A6tpOv | Leapcell phishing | 2026-01-23 |
| short.gy | mzrakq.short[.]gy/FCViGX | Leapcell phishing | 2026-01-21 |
| short.gy | mzrakq.short[.]gy/tmBpOW | Leapcell phishing | 2026-01-29 |
| short.gy | chdu4x.short[.]gy/MMiuEf | Leapcell phishing | 2026-01-29 |
| tinyurl.cx | tinyurl[.]cx/clfVy | Railway phishing | 2026-02-11 |
| tinyurl.cx | tinyurl[.]cx/eSRaM | Railway phishing | 2026-02-05 |
| tinyurl.cx | tinyurl[.]cx/wwVrn | Railway phishing | 2026-02-26 |
| tinyurl.cx | tinyurl[.]cx/IRkqG | Railway phishing | 2026-02-26 |
| Replit | neshortfile-showsopen-1--itdtegso2bd.replit[.]app/Hjdzis | Zeabur phishing | 2026-03-30 |
| Replit | neshortfile-showsopen-1--itdtegso2bd.replit[.]app/jVLVqn | Zeabur phishing | 2026-03-25 |
Network Infrastructure
| IP | ASN | Provider | Hostnames | Services | Notes |
|---|---|---|---|---|---|
| 43.159.166.153 | Tencent | Tencent Cloud (US PoP) | detrouble[.]com | 80/443 (Apache 2.4.66, PHP 8.3.30) | Zeabur load balancer |
TLS Certificate
- Subject:
*.zeabur.app(wildcard) - Issuer: Google Trust Services (WR1)
- SANs:
*.zeabur.app,zeabur.app,*.fra1.zeabur.app,*.hkg1.zeabur.app,*.hnd1.zeabur.app,*.kix1.zeabur.app,*.sfo1.zeabur.app,*.tpe1.zeabur.app,*.tpe0.zeabur.app,*.cgk1.zeabur.app,*.sjc1.zeabur.app - Validity: 2026-03-12 to 2026-06-10
- Note: Wildcard cert shared across all Zeabur deployments -- no certificate-based differentiation possible
DNS Chain
contract-agreement-with-staff.zeabur.app
-> CNAME: sjc1.cname.zeabur-dns.com
-> CNAME: lb-2jibk09k-1uo03wlhxdkp2yrn.clb.usw-tencentclb.com
-> A: 43.159.166.153
Zeabur uses Tencent Cloud Load Balancer infrastructure (San Jose / US West region).
Phishing Kit Analysis
Server Technology
- Backend: Express.js (Node.js) -- confirmed via
X-Powered-By: Expressheader - Deployment: Static files + server-side routes on Zeabur PaaS
- Last Modified: 2026-03-17 08:27:37 UTC (all static files share this timestamp)
Phishing Kit Fingerprints
| Artifact | SHA256 | Size |
|---|---|---|
| commonloginzhtmlskin.css | 07c63a73d5f4d11f41dfe9afd9bd3a3f99a0eca4a62439cf8f03eb0964137b78 | 65,117 bytes |
| zimbra.png | 06635593a68d32c8992ad23927074f2d8c922a9139eae7507af1879faa8c23fe | 14,968 bytes |
| CSRF token (hardcoded) | ec529cbe-89f5-4964-b46f-b3dc29789899 | Static across all pages |
Parameter Naming Convention
The actor uses long, pseudo-random parameter names as tracking/routing identifiers:
| Parameter | Used On | Purpose |
|---|---|---|
gfjdliotrgojnghgherbegrehureert0e0ee | /login.html | Victim email (base64), present across ALL campaign instances |
bfjkdghurehgjufhdkhgruiegbvousdhfowehr | /load.html | Victim tracking, intermediary redirect |
hfdgdhguirehfdhgfdrereoh | /login/ (post-theft) | Victim email (base64), server-generated |
contract-agreement-with-staff | / (root, MHIL) | Campaign identifier / entry gate |
WsdftYdsfsdRadyweEdfdesIsdfjdsP | / (root, Nayatel) | Campaign identifier / entry gate |
weriouiof23dskjhvxwtue546iysdfcnbv | / (root, CF Workers) | Campaign identifier / entry gate |
oasnxsauhbasdbxsa | / (root, early) | Campaign identifier / entry gate |
file1newdownload7r4ygduegur7348ru2ggru | / (root, BCC) | Campaign identifier / entry gate |
Critical OPSEC Fingerprint: The parameter gfjdliotrgojnghgherbegrehureert0e0ee is UNIQUE to this actor and present across ALL 20 infrastructure nodes over 5 months. This is the strongest single indicator for campaign tracking and detection.
Social Engineering Lures
| Campaign | PDF Lure | Target Context |
|---|---|---|
| MHIL (contract-agreement-with-staff) | "Contract Agreement with Stall Builder for Fabrication of Pak Pavilion" | Pakistan defense exhibition stall construction |
| Nayatel (zimbramail-nayatel-com) | "Mechanical Interface requirements" | Telecommunications engineering document |
| HR-themed (staff-performance-appraisals) | Staff performance appraisals | Generic HR document |
| BCC (maill-bcc-gov-bd-pdf) | Unknown (site dead) | Bangladesh government document |
| Document-themed (openthesubjectfile) | "Open the subject file" (implied) | Generic document lure |
Error Messages Used
- First harvest: "Your Session Expired Enter Password to Sign in again!!." (extra period, double exclamation)
- Second harvest: "Wrong password re-enter your password to sign in again!!." (double exclamation)
Impersonated Services
| Stage | Service | Banner Link | Logo |
|---|---|---|---|
| First credential harvest | Zimbra Web Client | hxxp://mail.navy.mil[.]bd/ | zimbra.png (generic) |
| Second credential harvest | Zimbra Web Client | hxxp://mail.paf.gov[.]pk/ | zimbra.png (generic) |
Note: The alt attribute on the Zimbra logo image reads "HIT logo" -- this is a residual artifact that likely references HIT (Harbin Institute of Technology) or a prior version of the phishing kit that targeted a different organization.
Victim Analysis
Confirmed Victims
| Organization | Sector | Country | Evidence | Confidence |
|---|---|---|---|---|
| Margalla Heavy Industries Ltd (MHIL) | Defense Manufacturing | Pakistan | Victim email pgcoord-251@margallahil[.]com decoded from URL param | CONFIRMED |
Targeted Organizations
| Organization | Sector | Country | Evidence | Confidence |
|---|---|---|---|---|
| Bangladesh Navy | Military | Bangladesh | Banner link mail.navy.mil[.]bd in Stage 1 login | HIGH |
| Pakistan Air Force (PAF) | Military | Pakistan | Banner link mail.paf.gov[.]pk in Stage 2 login | HIGH |
| Nayatel | Telecommunications/ISP | Pakistan | 4 dedicated phishing subdomains across 3 platforms | HIGH |
| Bangladesh Computer Council (BCC) | Government IT | Bangladesh | Dedicated subdomain maill-bcc-gov-bd-pdf | HIGH |
| NTC (Pakistan) | Telecommunications | Pakistan | ntc-logo-login.png asset in phishing kit | MEDIUM |
| International Relations entity | Government/Diplomatic | Unknown | Leapcell subdomain containing "internationalrelation" | MEDIUM |
Targeting Pattern
- Geographic Focus: Pakistan (primary), Bangladesh (secondary)
- Sector Focus: Military (Navy, Air Force), Defense Manufacturing, Telecommunications, Government IT
- Consistent with SideWinder: India-nexus APT historically targeting Pakistan military, government, and strategic industries
Threat Actor Profile
Attribution Assessment
- Confidence: HIGH
- Attribution: SideWinder APT (also known as T-APT-04, Rattlesnake, Razor Tiger, APT-C-17)
- Country/Region: India (assessed)
- Motivation: Strategic espionage targeting Pakistan and Bangladesh military/government
- Evidence for Attribution:
- Zimbra credential harvesting is a documented SideWinder TTP (multiple prior reports by Group-IB, Kaspersky, BlackBerry)
- Targeting profile matches SideWinder exactly: Pakistan military (PAF), Pakistan defense contractors (MHIL), Pakistan ISPs (Nayatel), Bangladesh government (BCC, Navy)
- Original IOC reported by @volrant136 (Hunt.io researcher) with SideWinder attribution
- PDF lure themes (defense contracts, Pak Pavilion) match SideWinder historical lures targeting Pakistani defense exhibitions
- Campaign aligns with Breakglass prior SideWinder investigations (BGI-2025-003 Azerbaijan, BGI-2026-002 WarMachine)
OPSEC Failures
- Reused unique parameter name (
gfjdliotrgojnghgherbegrehureert0e0ee) across ALL infrastructure for 5+ months -- enables trivial campaign tracking - Hardcoded CSRF token (
ec529cbe-89f5-4964-b46f-b3dc29789899) is identical across all instances -- not dynamically generated - Typo in PDF lure filename: Root page uses "Csontract" while final redirect uses "Contract" -- copy-paste error
- Typo in Cloudflare Workers subdomain: "zimramail" instead of "zimbramail" -- keyboard error
- Victim email leaked in URL: Base64-encoded victim email
pgcoord-251@margallahil[.]comvisible in URLScan submission - Alt text artifact: Logo
alt="HIT logo"reveals a prior kit version or shared template - Same phishing kit structure across all platforms with identical CSS/JS/HTML -- no per-deployment obfuscation
- Express.js X-Powered-By header not disabled -- reveals server technology
Campaign Evolution (Nov 2025 - Apr 2026)
| Phase | Period | Platforms | Notes |
|---|---|---|---|
| Phase 1 | Nov 2025 | Zeabur only | Initial deployment, page-view-mail subdomain |
| Phase 2 | Dec 2025 - Jan 2026 | Zeabur + Back4App + Railway + Leapcell | Platform diversification begins |
| Phase 3 | Feb 2026 | Railway + URL shorteners (tinyurl.cx) | Added redirector layer |
| Phase 4 | Mar 2026 | Leapcell + CF Workers + Replit + Zeabur | Maximum platform diversity, Nayatel focus |
| Phase 5 | Apr 2026 | Zeabur (consolidated) | Two active sites, matured kit |
The actor progressively diversified across more platforms (likely as earlier deployments were detected/taken down) before consolidating back to Zeabur for the latest wave.
Cross-Reference with Prior Breakglass SideWinder Investigations
| Aspect | BGI-2025-003 (Azerbaijan) | BGI-2026-002 (WarMachine) | BGI-2026-041 (This) |
|---|---|---|---|
| Delivery | CVE-2017-0199 RTF chain | CVE-2026-21509 | Zimbra credential phishing |
| Infrastructure | Self-hosted (defence-np[.]net) | VPS servers | PaaS platform abuse |
| Targets | Azerbaijan defense | Pakistan SIEHS/PSCA | Pak military/BD gov |
| Sophistication | Custom malware delivery | Server-side exploitation | Credential harvesting |
| Status | Campaign closed | Ongoing | 2 sites LIVE |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Reconnaissance | Gather Victim Identity Information: Email Addresses | T1589.002 | Targeted email addresses base64-encoded in URLs |
| Resource Development | Acquire Infrastructure: Web Services | T1583.006 | Abuse of 6 PaaS platforms for hosting |
| Resource Development | Stage Capabilities: Link Target | T1608.005 | URL shorteners (short.gy, tinyurl.cx, Replit) |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Emailed links to phishing pages |
| Credential Access | Input Capture: Web Portal Capture | T1056.003 | Cloned Zimbra login pages |
| Collection | Data from Information Repositories: Code Repositories | T1213 | N/A |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | Subdomains matching target org names |
IOC Summary
Network Indicators (Defanged)
Active Phishing Sites (LIVE as of 2026-04-05):
hxxps://contract-agreement-with-staff.zeabur[.]app/login.htmlhxxps://zimbramail-nayatel-com.zeabur[.]app/login.html
Historical Phishing Sites (DEAD):
hxxps://page-view-mail.zeabur[.]app/hxxps://staff-performance-appraisals-nov-2025.zeabur[.]app/hxxps://maill-bcc-gov-bd-pdf.zeabur[.]app/hxxps://wqqwysd-qwbeaxsb.zeabur[.]app/hxxps://site4-map-com.zeabur[.]app/hxxps://zimbra-com.up.railway[.]app/hxxps://mail-zimbra-com.up.railway[.]app/hxxps://openthesubjectfile.up.railway[.]app/hxxps://zimbra10-nml3wp-max8143-3ipio7e5.leapcell[.]dev/hxxps://zimbra10-nml3wp-max8143-fn1rsf7l.leapcell[.]dev/hxxps://zimbra10-internationalrelation40-beep5751-brqupv53.leapcell[.]dev/hxxps://zimbramail-nayatel.leapcell[.]app/hxxps://zimbramail-nayatel-gov.leapcell[.]app/hxxps://royal-field-9144.girlfriendparty42.workers[.]dev/hxxps://zimramail-nayatel.girlfriendparty42.workers[.]dev/hxxps://mailscodomain-hubenkks.b4a[.]run/hxxp://neshortfile-showsopen-1--itdtegso2bd.replit[.]app/
URL Shortener Links:
hxxps://iqwlwj.short[.]gy/Y5qMhQhxxps://mzrakq.short[.]gy/A6tpOvhxxps://mzrakq.short[.]gy/FCViGXhxxps://mzrakq.short[.]gy/tmBpOWhxxps://chdu4x.short[.]gy/MMiuEfhxxps://tinyurl[.]cx/clfVyhxxps://tinyurl[.]cx/eSRaMhxxps://tinyurl[.]cx/wwVrnhxxps://tinyurl[.]cx/IRkqG
IP Address:
43.159.166[.]153(Tencent Cloud, Zeabur LB)
File Indicators
| Artifact | SHA256 |
|---|---|
| commonloginzhtmlskin.css | 07c63a73d5f4d11f41dfe9afd9bd3a3f99a0eca4a62439cf8f03eb0964137b78 |
| zimbra.png | 06635593a68d32c8992ad23927074f2d8c922a9139eae7507af1879faa8c23fe |
Behavioral Indicators
- URL parameter:
gfjdliotrgojnghgherbegrehureert0e0ee(unique campaign fingerprint) - URL parameter:
bfjkdghurehgjufhdkhgruiegbvousdhfowehr(intermediary redirect) - URL parameter:
hfdgdhguirehfdhgfdrereoh(post-theft redirect) - Hardcoded CSRF:
ec529cbe-89f5-4964-b46f-b3dc29789899 - HTTP header:
X-Powered-By: Express - Page title: "Zimbra Web Client Sign In" (exact)
- Error text: "Your Session Expired Enter Password to Sign in again!!."
- Error text: "Wrong password re-enter your password to sign in again!!."
- Logo alt text: "HIT logo"
- Form action endpoints:
/submit(first harvest),/try(second harvest)
Recommended Actions
Immediate (24-48 hours)
- Block all IOCs listed above at email gateway, web proxy, and DNS resolver level
- Notify Zeabur (abuse@zeabur.com) to take down the two LIVE phishing sites
- Notify MHIL (Margalla Heavy Industries) that the email
pgcoord-251@margallahil[.]comhas been targeted -- password reset required - Notify BD-CERT regarding Bangladesh Navy targeting
- Notify Pakistan CERT (PKCERT/NR3C) regarding PAF and MHIL targeting
- Search email logs for the unique parameter string
gfjdliotrgojnghgherbegrehureert0e0eeto identify any employees who clicked
Short-term (1-2 weeks)
- Implement detection rules (YARA/Suricata below) for the phishing kit fingerprints
- Monitor crt.sh and URLScan for new deployments matching the campaign fingerprint
- Report URL shortener links to short.gy and tinyurl.cx for takedown
- Notify Leapcell, Railway, Cloudflare, Replit, and Back4App of historical abuse
Medium-term (1-3 months)
- Block PaaS platforms at the subdomain level where organizational policy permits (especially for organizations in the target profile)
- Implement DMARC/DKIM/SPF enforcement to reduce spearphishing delivery success
- Deploy phishing-resistant MFA (FIDO2/WebAuthn) for all Zimbra deployments in targeted organizations
Abuse Reports
Zeabur (Priority: CRITICAL -- 2 LIVE sites)
To: Zeabur Trust & Safety
Subject: Active phishing sites on Zeabur platform — credential harvesting
Two active phishing deployments are impersonating Zimbra webmail to steal credentials
from Pakistan/Bangladesh military and government personnel:
1. contract-agreement-with-staff.zeabur.app (LIVE - credential harvester)
2. zimbramail-nayatel-com.zeabur.app (LIVE - credential harvester)
These are part of a nation-state espionage campaign (SideWinder APT) that has abused
your platform since November 2025. Seven historical subdomains have also been used.
Request immediate takedown and account suspension.
References
- @volrant136 (Hunt.io): Original IOC disclosure (April 2, 2026)
- @skocherhan: Repost amplifying the IOC
- Breakglass Intelligence BGI-2025-003: SideWinder Azerbaijan Campaign (defence-np[.]net)
- Breakglass Intelligence BGI-2026-002: WarMachine/MALDEV01 (CVE-2026-21509)
- Group-IB (2024): "SideWinder's Credential Phishing Operations Against South Asian Governments"
- BlackBerry (2023): "SideWinder Uses Server-Side Polymorphism to Attack Pakistan Government"
GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."