Nepal Unrest Exploited – Sidewinder APT Deploys Cross-Platform Malware on Windows and Mobile Devices

The Sidewinder APT group has shifted its focus to exploit ongoing political unrest in Nepal, deploying sophisticated cross-platform malware campaigns targeting users interested in the country’s current protests and government instability.

Following their previously documented attacks against South Asian military targets, the threat actors are now leveraging Nepal’s social media ban and anti-corruption demonstrations as social engineering lures to deliver multi-stage attacks across Windows and Android platforms.

Impersonating High-Profile Nepali Officials

The campaign demonstrates tactical evolution as attackers impersonate General Ashok Sigdel, Nepal’s current Army Chief of Staff, who has been serving as the acting head of state since September 2025.

The malicious operation begins with credential phishing sites spoofing the Nepalese Emergency Service, designed to harvest login credentials from unsuspecting victims.

Users attempting to access information about General Sigdel are instead tricked into downloading Gen_Ashok_Sigdel_Live.apk, a malicious Android application that functions as a sophisticated data exfiltration tool.

The Android malware, based on a modified version of the open-source Rafel RAT, requests extensive device permissions, including. ADD_DEVICE_ADMIN, READ_EXTERNAL_STORAGE, MANAGE_APP_ALL_FILES_ACCESS_PERMISSION, READ_CONTACTS, and READ_MEDIA_VIDEO.

Once installed, the malware displays decoy content while simultaneously harvesting documents and images from the infected device, uploading stolen data to command-and-control servers at playservicess.com.

Multi-Platform Attack Infrastructure

Sidewinder’s campaign extends beyond mobile devices to include Windows-based attacks using EmergencyApp.exe additional Android samples like Emergency_Help.apk.

The threat actors maintain consistent infrastructure across platforms, utilizing domains  playservicess.com and playsevices.com hosted on an IP address 194.233.77.73.

Network communications utilize distinctive markers, including the boundary string “qwerty” and URI paths containing “/ghijkl/ghijkl/index.php”, providing defenders with reliable hunting signatures.

The group’s previous campaigns targeted military personnel across Bangladesh, Pakistan, and India using similar tactics, with evidence suggesting victims included defense contractors, government officials, and military communications personnel based on recovered contact lists and stolen SMS content.

Their infrastructure demonstrates sophisticated operational security, with domains registered using consistent email patterns and C2 panels that were temporarily indexed by search engines before being secured.

The current Nepal-focused campaign represents a concerning adaptation of established TTPs to exploit real-world geopolitical events, highlighting the group’s continued focus on South Asian targets while expanding its operational scope to capitalize on emerging political instability and social unrest.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Nepal Unrest Exploited – Sidewinder APT Deploys Cross-Platform Malware on Windows and Mobile Devices appeared first on Cyber Security News.