Z2FA_LTS: A Sidewinder APT Phishing Kit Developer Burns Their Linux Username in an Express.js Stack Trace
An unhandled POST triggers a 500 error that leaks the developer path /home/moincox/Z2FA_LTS/app.js. URLScan history maps 7 Workers across 2 Cloudflare accounts and 3 months of South Asian government targeting.
When @volrant136 flagged a Cloudflare Workers URL hosting a Zimbra credential harvester targeting Bangladesh Navy's webmail (mail.navy.mil.bd), we investigated. The phishing kit was polished — a pixel-perfect Zimbra clone with reverse-proxied CSS from the real server, a blurred PDF viewer as a lure, and Express.js session management.
Then we sent a POST request without the expected query parameter. The server returned a 500 error with a full stack trace:
TypeError: Cannot destructure property 'username' of 'req.body' as it is undefined.
at /home/moincox/Z2FA_LTS/app.js:302:11
The phishing kit developer's Linux home directory, username, and internal project name — exposed in a single unhandled error. We then used URLScan to map 7 distinct phishing Workers across two Cloudflare accounts over 3 months, targeting Bangladesh Navy, Pakistan's Ministry of Foreign Affairs, iCloud users, and more.
The kit is still live. The lure document is a stolen Pakistani diplomatic cable naming 9 government officials. Multiple researchers — @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam — corroborate Sidewinder attribution.
Table of Contents
- The OPSEC Burn: /home/moincox/Z2FA_LTS/
- The Phishing Kit: Z2FA_LTS Architecture
- The Lure: A Stolen Pakistani Diplomatic Cable
- Attack Flow Reconstruction
- Campaign Timeline: 7 Workers, 2 Accounts, 3 Months
- Infrastructure Continuity: malik-jaani786 and girlfriendparty42
- Multi-Target Map
- What This Report Adds
- IOC Table
- MITRE ATT&CK Mapping
- Detection Signatures
- Recommendations
The OPSEC Burn
The entire investigation pivots on a single mishandled error condition.
The phishing kit's credential harvester lives at the root path (/). When a victim submits the Zimbra login form, the browser POSTs loginOp, username, password, and client to / with the query parameter safepreivewfiledownloadforminboxmailserver=1 (note the typo in "preivew" — consistent across all campaign instances).
But the Express.js route handler at app.js:302 destructures {username} directly from req.body without checking if the body parser succeeded. Send a POST without the form body — or without the URL-encoded content type — and Express throws:
TypeError: Cannot destructure property 'username' of 'req.body' as it is undefined.
at /home/moincox/Z2FA_LTS/app.js:302:11
at Layer.handleRequest (/home/moincox/Z2FA_LTS/node_modules/router/lib/layer.js:152:17)
at next (/home/moincox/Z2FA_LTS/node_modules/router/lib/route.js:157:13)
at Route.dispatch (/home/moincox/Z2FA_LTS/node_modules/router/lib/route.js:117:3)
at handle (/home/moincox/Z2FA_LTS/node_modules/router/index.js:435:11)
at session (/home/moincox/Z2FA_LTS/node_modules/express-session/index.js:494:7)
A second stack trace leaks from POST to /admin/login without a body:
at /home/moincox/Z2FA_LTS/app.js:556:11
From these two errors, we extract:
| Artifact | Value | Significance |
|---|---|---|
| Home directory | /home/moincox/ | Linux username of kit developer/operator |
| Project name | Z2FA_LTS | Internal kit name: "Zimbra 2FA Long-Term Support" |
| Entry point | app.js | Single Express.js application |
| Credential handler | Line 302 | Where harvested creds are processed |
| Admin handler | Line 556 | Admin panel authentication |
| Session middleware | express-session | Server-side session management |
| Router | router npm package | Standard Express routing |
The developer handle moincox returns no results on GitHub, npm, or major code hosting platforms. The name structure — potentially a compound of "Moin" (common in South Asian naming) and "Cox" — is consistent with the campaign's South Asian operational context but remains unresolved.
The project name Z2FA_LTS reveals how the developer categorizes the kit internally: a long-term support version of a Zimbra two-factor auth phishing platform. The "LTS" suffix suggests prior versions exist.
The Phishing Kit
Z2FA_LTS is a server-rendered Express.js application deployed on Cloudflare Workers. It serves four distinct pages:
Landing Page: Fake Chrome PDF Viewer
The initial URL (/?safepreivewfiledownloadforminboxmailserver=1) renders a full Chrome PDF viewer clone using PDF.js 2.16.105, complete with toolbar controls for zoom, rotation, page navigation, print, and download. The toolbar displays https://mail.navy.mil.bd/ PDF and loads the real Bangladesh Navy favicon.
The lure PDF is rendered with filter: blur(5px); opacity: 0.9 — the victim sees a blurred government document they cannot read. A "Reload PDF" button and a 5-second setTimeout auto-redirect both send the victim to /load.html.
Loading Screen: Zimbra Splash
A Zimbra "Loading..." splash screen that pulls real CSS from the target:
<link rel="stylesheet" href="https://mail.navy.mil.bd/css/common,login,zhtml,skin.css?skin=harmony&v=231201123416">
This page immediately redirects to /home.
Credential Harvester: Zimbra Login Clone
A pixel-perfect clone of Zimbra Web Client's Harmony skin login page. The kit reverse-proxies all static assets through a /proxy/ path on the Workers domain:
<link rel="stylesheet" href="/proxy/css/common,login,zhtml,skin.css?skin=harmony&v=231201123416">
<link rel="SHORTCUT ICON" href="/proxy/img/logo/favicon.ico">
The form POSTs to / with fields loginOp, login_csrf, username, password, and client. Two injected script blocks override Zimbra's default behavior:
- Force the error message
"Your session has expired. Please login again to continue."to remain visible (overriding Zimbra JS that would hide it) - Auto-focus the password field
The ZmSkin JavaScript configuration sets banner.url to http://mail.navy.mil.bd — the real server URL embedded in the phishing page's client-side branding logic.
CSRF tokens rotate per session: Each page load generates a unique token (e.g., 04ee9852-0575-4069-a611-38054c4e7b78, 9719c4bb-9022-4f43-b2b9-ccd1c71dd332), confirming server-side session state via express-session and connect.sid cookies.
Username echo: After credential submission, the server re-renders the login page with the submitted username pre-filled in the value attribute — the victim sees their email and assumes login failed, likely re-entering their password.
Admin Panel: Scare Page
The /admin and /admin/dashboard paths serve an intimidation page designed to deter researchers:
- Pulsing red gradient background with blinking warning banner
- "DANGER ZONE - UNAUTHORIZED ACCESS PROHIBITED"
- Claims: "Your IP address is being monitored," "Failed attempts trigger security protocols," "Your device information is being collected"
This is pure theater. POST to /admin/login with any credentials returns the same scare page (200, 4,429 bytes). There is no actual authentication differentiation — the admin panel is a decoy. The real credential management likely happens through direct server access or a separate channel.
The Lure
The PDF served by the phishing kit is a legitimate Pakistani government internal communication:
| Field | Value |
|---|---|
| From | Parep Istanbul (Pakistan's Permanent Representative) |
| To | National Assembly Secretariat, Islamabad |
| Subject | 152nd IPU Assembly & related meetings, Istanbul, 15-19 April 2026 |
| Date | 17 February 2026 |
| Reference | Con./3/2025 |
| Signed by | Syed Ali Raza Shah, Head of Chancery |
| SHA-256 | aa82f6397face56f9c8500e81b3ce487b661b99ee1865f1a5ec6f6da9b261cf1 |
| Creation date | 2026-02-17T16:56:18+03:00 (UTC+3, Turkey) |
The document lists hotel reservations at the Hilton Bomonti Istanbul for 9 named Pakistani officials:
| Name | Role | Room |
|---|---|---|
| Sardar Ayaz Sadiq | Hon. Speaker / Head of Delegation | King Executive Sea View |
| Syed Mustafa Mehmood | MNA | King Guest Room |
| Syed Amnah Batool | MNA | King Guest Room |
| Zahoor Hussain Qureshi | MNA | King Guest Room |
| Shahram Khan Tarakai | MNA | King Guest Room |
| Muhammad Jawed Hanif Khan | MNA | King Guest Room |
| Barrister Aqeel Malik | MNA | King Guest Room |
| Saeed Ahmed Maitla | Secretary National Assembly | King Guest Room |
| Waseem Iqbal Chaudhary | Special Secretary | King Guest Room |
The document's presence as a phishing lure demonstrates prior access to Pakistani diplomatic communications. The creation timestamp in UTC+3 (Turkey time) is consistent with the document originating from Pakistan's Istanbul mission. This is not a fabricated document — it contains specific internal details (room types, per-night rates, advance payment terms, a March 14 reservation deadline) that would only appear in authentic diplomatic correspondence.
Sidewinder's use of genuine stolen documents as lures is well-documented. The document-to-lure pipeline — steal from Target A, weaponize against Target B — is a signature TTP.
Attack Flow
1. Victim receives spearphishing link:
hxxps://twilight-violet-55a5[.]malik-jaani786[.]workers[.]dev/?safepreivewfiledownloadforminboxmailserver=1
2. Landing page renders blurred PDF in fake Chrome viewer
- Toolbar shows "https://mail.navy.mil.bd/ PDF"
- Favicon loaded from real mail.navy.mil.bd
- Auto-redirect after 5 seconds -> /load.html
3. Zimbra "Loading..." splash screen
- CSS pulled from real mail.navy.mil.bd
- Immediate redirect -> /home
4. Credential harvester (Zimbra Harmony login clone)
- Reverse-proxied CSS/favicon from real server via /proxy/
- "Your session has expired" error forces re-authentication
- Form POSTs to / with rotating CSRF token
5. Server-side processing at app.js:302
- Credentials stored/forwarded (mechanism not exposed)
- Login page re-rendered with username pre-filled
- Victim assumes login failed, re-enters password
Campaign Timeline
URLScan indexing reveals 7 distinct Workers deployed under the malik-jaani786 Cloudflare account between February and April 2026:
| First Seen | Worker Subdomain | Assessed Target | Status |
|---|---|---|---|
| 2026-02-19 | hit-view-message-preview | Zimbra webmail (generic) | Cloudflare phishing block |
| 2026-02-24 | download-secure-app-from-icloud | iCloud users | Cloudflare phishing block |
| 2026-03-06 | bold-bonus-1d3b | Unknown | Dead (error 1042) |
| 2026-03-16 | modp-view-full-message | Document preview lure | Dead (404) |
| 2026-04-08 | preview-mail-from-mofa-gov-pk-user-com-center | Pakistan Ministry of Foreign Affairs | Dead (404) |
| 2026-04-10 | modp-view-full-message (reuse) | Document preview lure | Dead (404) |
| 2026-04-18 | twilight-violet-55a5 | Bangladesh Navy | LIVE |
The MoFA Worker name is particularly revealing: preview-mail-from-mofa-gov-pk-user-com-center explicitly references Pakistan's Ministry of Foreign Affairs (mofa.gov.pk). This is consistent with the stolen diplomatic cable used as a lure — the same campaign that compromised Pakistani diplomatic communications is now weaponizing them against Bangladesh Navy personnel.
Cloudflare's phishing detection has caught and blocked the two oldest Workers (download-secure-app-from-icloud and hit-view-message-preview), both now returning "Suspected Phishing" interstitial pages. The current twilight-violet-55a5 Worker has not yet been flagged.
Query Parameter Fingerprints
Each Workers instance uses a long, randomized query parameter as a campaign gate:
| Worker | Parameter |
|---|---|
hit-view-message-preview | shfgkjdhgjkfhdgjkfhdgjkhfdjghfdghfjkd |
download-secure-app-from-icloud | dsgsredjfrtkyrefguihsfguihughilsdomainetftwrefhf |
bold-bonus-1d3b | shfgkjdhgjkfhdgjkfhdgjkhfdjghfdghfjkd |
twilight-violet-55a5 | safepreivewfiledownloadforminboxmailserver |
The parameter names serve dual purposes: campaign tracking and casual access prevention. Without the correct parameter, the root path returns Forbidden (9 bytes) or 404.
Infrastructure Continuity
The malik-jaani786 account is this campaign's second Cloudflare Workers account. Our prior investigation on April 5, 2026 documented girlfriendparty42.workers.dev as the first account, which hosted:
| Worker | Target |
|---|---|
royal-field-9144.girlfriendparty42.workers.dev | Zimbra phishing |
zimramail-nayatel.girlfriendparty42.workers.dev | Nayatel (Pakistan ISP) |
Both girlfriendparty42 Workers are now dead. The actor burned the account and migrated to malik-jaani786, maintaining the same:
- Express.js backend with
x-powered-by: Expressheader connect.sidsession cookies viaexpress-session- Zimbra Harmony skin clone with reverse-proxied assets
- Blurred PDF viewer landing page
- Long randomized query parameter as campaign gate
- Identical attack flow: PDF viewer -> loading screen -> credential harvester
The kit version running on malik-jaani786 (Z2FA_LTS) may represent a newer build than what was deployed on girlfriendparty42. The "LTS" designation suggests the developer maintains multiple branches.
The broader campaign, when combined with our April 5 findings, now spans at least 20 infrastructure nodes across Zeabur, Leapcell, Railway, Replit, Back4App, and two Cloudflare Workers accounts — all serving the same Sidewinder credential harvesting operation against South Asian government targets.
Multi-Target Map
Combining this investigation with our prior April 5 report, the confirmed and assessed targets across the full malik-jaani786 + girlfriendparty42 + PaaS infrastructure are:
| Target | Country | Sector | Evidence |
|---|---|---|---|
Bangladesh Navy (mail.navy.mil.bd) | Bangladesh | Defense | Live phishing kit, reverse-proxied assets |
Pakistan MoFA (mofa.gov.pk) | Pakistan | Foreign Affairs | Worker name, stolen diplomatic cable |
| Margalla Heavy Industries (MHIL) | Pakistan | Defense | Decoded victim email (prior investigation) |
| Pakistan Air Force | Pakistan | Defense | Lure document (prior investigation) |
| Nayatel (Pakistan ISP) | Pakistan | Telecom | Dedicated Worker (prior investigation) |
| Bangladesh Computer Council | Bangladesh | Government IT | Dedicated Worker (prior investigation) |
| NTC Pakistan | Pakistan | Telecom | Dedicated Worker (prior investigation) |
| iCloud users | Global | Consumer | Dedicated Worker (download-secure-app-from-icloud) |
The iCloud-targeting Worker is notable — it represents a departure from Sidewinder's typical government/military focus, unless it was used to target personal Apple accounts of government officials.
What This Report Adds
This is publicly available information about an active Sidewinder campaign. What distinguishes this report:
-
Developer attribution artifact: The
moincoxusername andZ2FA_LTSproject name from the Express.js stack trace have not been publicly documented. This is a concrete OPSEC failure that names the kit and its operator's local environment. -
Campaign continuity mapping: Linking
malik-jaani786to the previously documentedgirlfriendparty42account through shared TTPs and attack flow establishes a continuous 3-month operational timeline. -
MoFA targeting confirmation: The
preview-mail-from-mofa-gov-pk-user-com-centerWorker name, combined with the stolen diplomatic cable, confirms Pakistan MoFA as both a victim (document theft) and a lure source. -
Full phishing kit source: Landing page, loading screen, credential harvester, and admin panel HTML — all captured while the kit is live.
Credit to @volrant136 for the initial discovery, and to @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam for corroborating Sidewinder attribution.
IOC Table
Domains and URLs
| Indicator | Context |
|---|---|
twilight-violet-55a5[.]malik-jaani786[.]workers[.]dev | Active Bangladesh Navy credential harvester |
preview-mail-from-mofa-gov-pk-user-com-center[.]malik-jaani786[.]workers[.]dev | Pakistan MoFA targeting (dead) |
download-secure-app-from-icloud[.]malik-jaani786[.]workers[.]dev | iCloud credential theft (CF blocked) |
hit-view-message-preview[.]malik-jaani786[.]workers[.]dev | Zimbra phishing (CF blocked) |
modp-view-full-message[.]malik-jaani786[.]workers[.]dev | Document preview lure (dead) |
bold-bonus-1d3b[.]malik-jaani786[.]workers[.]dev | Unknown purpose (dead) |
malik-jaani786[.]workers[.]dev | Cloudflare Workers account (parent) |
mail[.]navy[.]mil[.]bd | Legitimate target — Bangladesh Navy Zimbra |
IPs (Cloudflare edge — not origin)
| IP | Context |
|---|---|
| 104[.]21[.]4[.]43 | Cloudflare edge for malik-jaani786 Workers |
| 172[.]67[.]131[.]165 | Cloudflare edge for malik-jaani786 Workers |
File Hashes
| Hash | File | Context |
|---|---|---|
aa82f6397face56f9c8500e81b3ce487b661b99ee1865f1a5ec6f6da9b261cf1 | Lure PDF (152nd IPU Assembly) | SHA-256 |
e41adf9fdd1394e1d6ee74efd05a7c6a | Lure PDF | MD5 |
Developer Artifacts
| Artifact | Value |
|---|---|
| Linux username | moincox |
| Project name | Z2FA_LTS |
| App entry | /home/moincox/Z2FA_LTS/app.js |
| Credential handler | Line 302 |
| Admin handler | Line 556 |
| Session middleware | express-session |
| Cookie name | connect.sid |
| Static CSRF example | 04ee9852-0575-4069-a611-38054c4e7b78 |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: Serverless | T1583.007 | Cloudflare Workers accounts |
| Resource Development | Obtain Capabilities: Tool | T1588.001 | Z2FA_LTS phishing kit |
| Resource Development | Stage Capabilities: Upload Tool | T1608.002 | Kit deployed across multiple Workers |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Workers URL sent to targets |
| Collection | Input Capture: Web Portal Capture | T1056.003 | Zimbra login clone captures credentials |
| Defense Evasion | Masquerading | T1036 | Pixel-perfect Zimbra clone with proxied assets |
| Credential Access | Steal Web Session Cookie | T1539 | Express-session cookie management |
Detection Signatures
Network Indicators
# Block/alert on malik-jaani786 Workers account
*.malik-jaani786.workers.dev
# Query parameter fingerprint (note typo: "preivew")
safepreivewfiledownloadforminboxmailserver
# Express.js on Workers (unusual combination)
x-powered-by: Express (from *.workers.dev domains)
# Connect.sid from Workers domains
Set-Cookie: connect.sid (from *.workers.dev)
Sigma Rule
title: Sidewinder Z2FA_LTS Phishing Kit Access
id: b8c9d0e1-2f3a-4b4c-d5e6-sidewinder-z2fa
status: experimental
description: Detects access to Sidewinder Z2FA_LTS phishing infrastructure on Cloudflare Workers
author: Breakglass Intelligence
date: 2026-04-20
references:
- https://intel.breakglass.tech/blog/sidewinder-z2fa-lts-moincox-bangladesh-navy-pakistan-mofa-opsec-burn
tags:
- attack.credential_access
- attack.t1056.003
- attack.initial_access
- attack.t1566.002
logsource:
category: proxy
detection:
selection_domain:
c-uri|contains: 'malik-jaani786.workers.dev'
selection_param:
c-uri|contains: 'safepreivewfiledownloadforminboxmailserver'
condition: selection_domain or selection_param
falsepositives:
- None known
level: high
Recommendations
| Action | Target | Priority |
|---|---|---|
| Report phishing | Cloudflare Trust & Safety — twilight-violet-55a5.malik-jaani786.workers.dev | Immediate |
| Credential rotation | Bangladesh Navy — all mail.navy.mil.bd users | Immediate |
| CERT notification | BGD e-GOV CIRT (cert@cirt.gov.bd) — active credential harvesting | Immediate |
| CERT notification | Pakistan NTISB — leaked diplomatic communications | High |
| Block IOCs | Distribute Workers domains and query parameter fingerprints | High |
| Monitor | URLScan for new *.malik-jaani786.workers.dev subdomains | Ongoing |
| Monitor | New Cloudflare Workers accounts with same Express.js + Zimbra clone pattern | Ongoing |
Investigation by Breakglass Intelligence. Credit to @volrant136 for the initial discovery.