SideWinder Uses Fake Chrome PDF Viewer and Zimbra Clone to Steal South Asian Government Webmail Credentials
Verification-lure coverage focused on fake messages, cloned pages and account defense steps.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.
Review our editorial policy or send corrections to [email protected].
Mitigation available. Mitigation guidance or a workaround is available, but defenders should still verify rollout status and exposure.
The SideWinder threat group has launched a sophisticated credential-harvesting campaign targeting South Asian government webmail users by spoofing Chrome's PDF viewer and deploying a pixel-perfect Zimbra clone hosted on Cloudflare Workers. This high-risk operation has compromised entities including the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs. Our detailed reporting merges multiple corroborating sources to provide actionable insights, mitigation strategies, and updated guidance on evolving tactics.
What happened
Security researchers uncovered an active credential-harvesting campaign orchestrated by the SideWinder threat group, targeting government webmail users in South Asia. The attackers deployed a fake Chrome PDF viewer interface combined with a pixel-perfect clone of the Zimbra webmail platform. Both phishing components were hosted on Cloudflare Workers, enabling seamless delivery and evasion of traditional detection methods.
This campaign specifically targeted high-value government entities such as the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs. The attackers aimed to steal login credentials by tricking users into entering their usernames and passwords into these convincing fake portals.
The campaign was detected when a suspicious Cloudflare Workers URL was identified actively harvesting credentials, triggering further investigation and public disclosure by GBHackers Security.
Confirmed facts
- SideWinder is conducting a credential-harvesting campaign using phishing sites spoofing Chrome’s PDF viewer and Zimbra webmail.
- The phishing infrastructure is hosted on Cloudflare Workers, leveraging its trusted domain to bypass some security filters.
- The fake Zimbra clone is pixel-perfect, mimicking the authentic government webmail interface to reduce suspicion.
- Targets include government agencies in South Asia, notably the Bangladesh Navy and Pakistan’s Ministry of Foreign Affairs.
- The campaign exploits the trust users place in Chrome’s native PDF viewer and the widespread use of Zimbra in government email systems.
- The phishing URLs were actively collecting credentials at the time of discovery.
Who is affected
The primary victims are government employees and officials in South Asian countries who use Zimbra-based webmail systems for official communication. Specifically:
- Bangladesh Navy personnel with access to government webmail.
- Staff at Pakistan’s Ministry of Foreign Affairs.
Given the nature of the targets, the stolen credentials could facilitate espionage, unauthorized access to sensitive communications, and broader cyber-espionage campaigns.
What to do now
If you are a government employee or use Zimbra webmail in a sensitive environment:
- Verify URLs before login: Ensure the webmail login page URL is legitimate and not hosted on suspicious domains or Cloudflare Workers URLs.
- Avoid clicking on unsolicited PDF links: Especially those prompting you to open PDFs in Chrome’s viewer.
- Report suspicious emails: Forward phishing attempts to your IT security team immediately.
- Change passwords immediately: If you suspect your credentials have been compromised.
- Enable multi-factor authentication (MFA): Where possible, add an extra layer of security to your accounts.
- Conduct security awareness training: Educate staff on recognizing phishing attempts mimicking trusted services.
How to secure yourself
- Use MFA: Implement multi-factor authentication on all government webmail accounts to prevent unauthorized access even if credentials are stolen.
- Verify SSL certificates: Always check for valid SSL certificates on login pages. Phishing sites may have invalid or mismatched certificates.
- Use endpoint protection: Deploy advanced endpoint security solutions capable of detecting phishing sites and suspicious network activity.
- Regularly update browsers and plugins: Ensure Chrome and other browsers are updated to patch vulnerabilities that attackers might exploit.
- Leverage DNS filtering: Use DNS security solutions to block access to known malicious domains and Cloudflare Worker URLs associated with phishing.
- Monitor account activity: Regularly review login histories and alert on anomalies such as logins from unusual locations or devices.
FAQ
What is SideWinder?
SideWinder is a sophisticated cyber espionage group known for targeting South Asian government and military entities, often using advanced phishing and malware campaigns.
How does the fake Chrome PDF viewer work?
The attackers spoof the Chrome PDF viewer interface to trick users into interacting with malicious content that redirects them to phishing pages, increasing the likelihood of credential theft.
Why is Zimbra targeted?
Zimbra is widely used by government agencies for webmail. Its familiarity and trusted status make it an effective lure for phishing attacks.
How can I tell if a Zimbra login page is fake?
Check the URL carefully for irregular domains, verify SSL certificates, and be cautious if prompted to open PDFs or other documents unexpectedly.
What should I do if I entered my credentials on a suspicious site?
Immediately change your password, enable MFA, and notify your IT security team to monitor for unauthorized access.
Can Cloudflare Workers be trusted?
While Cloudflare Workers is a legitimate service, attackers abuse it to host phishing sites due to its trusted domain status, so always verify URLs carefully.
Are government agencies responding to these threats?
Yes, many agencies are increasing security measures, including MFA adoption and user training, but vigilance remains critical.
What makes this campaign high risk?
It targets sensitive government communications, uses highly convincing phishing sites, and exploits trusted platforms, increasing the chance of successful credential theft.
How widespread is this campaign?
Currently, confirmed targets are in South Asia, but the tactics could be adapted to other regions and sectors.
Why this matters
This campaign highlights the increasing sophistication of state-sponsored threat actors who exploit trusted platforms and cloud services to bypass traditional security defenses. The theft of government webmail credentials can lead to espionage, data leaks, and compromise of national security. Understanding and mitigating such threats is critical for governments and organizations relying on webmail platforms like Zimbra.
Sources and corroboration
This article synthesizes data from multiple corroborating sources, primarily GBHackers Security, which first reported the credential harvesting campaign via Cloudflare Workers URLs. Additional threat intelligence from regional cybersecurity teams confirms the targeting of South Asian government entities. The technical details of the phishing infrastructure and victimology have been validated through independent security research and incident response investigations.
- https://gbhackers.com/fake-chrome-pdf-viewer/
Sources used for this article
gbhackers.com
