Cyberdudebivash

Operation SouthNet Exposed: SideWinder APT Weaponizes Netlify and Pages.dev for Global Espionage

, , ,
CYBERDUDEBIVASH

🐍 APT THREAT ANALYSIS • TTP EXPOSED

      Operation SouthNet Exposed: SideWinder APT Weaponizes Netlify and Pages.dev for Global Espionage    

By CyberDudeBivash • October 07, 2025 • Threat Intelligence Report

 cyberdudebivash.com |       cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a threat intelligence briefing for security professionals. It contains affiliate links to relevant enterprise security solutions. Your support helps fund our independent research.

 Threat Report: Table of Contents 

  1. Chapter 1: Living Off the Cloud — The New Face of APT Infrastructure
  2. Chapter 2: The TTP — How SideWinder Weaponizes Developer Platforms
  3. Chapter 3: The Defender’s Playbook — Hunting for Malicious Use of Trusted Services
  4. Chapter 4: The Strategic Takeaway — The Death of the IP Blocklist

Chapter 1: Living Off the Cloud — The New Face of APT Infrastructure

State-sponsored threat actors are masters of evasion, and their latest technique is to hide in plain sight. Instead of setting up their own suspicious servers, they are now “Living Off the Cloud”—building their attack infrastructure on the back of legitimate, trusted, and globally recognized cloud services. This allows them to bypass traditional network defenses that rely on blocking known-bad domains. A new campaign by the **SideWinder APT**, which we are calling **”Operation SouthNet,”** is a masterclass in this technique, weaponizing popular developer platforms **Netlify** and **Cloudflare Pages** for espionage.

Chapter 2: The TTP — How SideWinder Weaponizes Developer Platforms

As we’ve detailed in our **previous reports on SideWinder**, the group is known for its sophisticated spear-phishing. In Operation SouthNet, they are using these developer platforms for two key stages of their attack chain:

1. Payload Hosting

The initial spear-phishing email contains a link not to a suspicious, unknown domain, but to a static site hosted on Netlify (`*.netlify.app`) or Cloudflare Pages (`*.pages.dev`). Because these domains have a stellar reputation, they are not blocked by email gateways or corporate firewalls. This site hosts the first-stage dropper, often a malicious LNK file inside a ZIP archive.

2. C2 Redirection

The malware payload that is ultimately executed does not connect directly to the attacker’s real C2 server. Instead, it beacons out to a serverless function (a Netlify Function or a Cloudflare Worker) hosted on these platforms. This function acts as a simple but effective redirector, forwarding the traffic to the attacker’s hidden backend server. This technique hides the true C2 IP address and makes the malware’s initial network traffic look like a legitimate connection to a trusted developer service.

Chapter 3: The Defender’s Playbook — Hunting for Malicious Use of Trusted Services

You cannot block all of Netlify or Cloudflare. Detection must shift from the network to the endpoint.

The #1 Hunt: Focus on the Process, Not the Destination

The key to detecting this TTP is context. While a web browser connecting to `netlify.app` is perfectly normal, a Microsoft Word or PowerShell process doing so is a definitive sign of an attack. This is where an **EDR** is your essential tool.

**The Golden Query for Your EDR:**


ProcessName NOT IN ('chrome.exe', 'firefox.exe', 'msedge.exe')
AND NetworkConnection to destination_domain ENDS WITH ('.netlify.app', '.pages.dev')

This query will instantly highlight any non-browser process making connections to these platforms, which is a high-fidelity indicator of a “Living Off the Cloud” attack.

 Detect the Undetectable: A modern **XDR platform** is non-negotiable for detecting these evasive TTPs. It provides the deep process-level visibility needed to see *what* is making the connection, not just *where* it is going.  

Chapter 4: The Strategic Takeaway — The Death of the IP Blocklist

Operation SouthNet is a powerful case study in the failure of traditional, network-based threat intelligence. The era of defending your organization by simply blocking a list of known-bad IP addresses and domains is over. Sophisticated adversaries are now operating from the same trusted cloud and developer platforms that your own business relies on.

This forces a strategic shift in defensive thinking. As we detailed in our guide, **“The Critical Shift from IOCs to IOAs,”** your detection strategy must evolve. You must focus on the behavioral **Indicators of Attack (IOAs)**—the *how* of an attack—rather than the static **Indicators of Compromise (IOCs)**. Detecting an anomalous process making an outbound connection is an IOA, and it is a far more resilient and effective detection than trying to maintain an infinite blocklist of malicious domains.

Get Elite Threat Actor Intelligence

Subscribe for real-time alerts, APT analysis, and strategic defense guides.         Subscribe  

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in APT tracking, threat hunting, and cloud security, advising CISOs across APAC. [Last Updated: October 07, 2025]

  #CyberDudeBivash #SideWinder #APT #ThreatIntel #LivingOffTheCloud #CyberSecurity #InfoSec #ThreatHunting #Netlify #Cloudflare

Leave a comment

Design a site like this with WordPress.com
Get started