SloppyLemming’s Evolving Threat: A Year-Long Cyber Campaign Against Pakistan and Bangladesh
In a significant escalation of cyber warfare in South Asia, the espionage group SloppyLemming—also known by the aliases Outrider Tiger and Fishing Elephant—has been conducting a year-long cyber offensive targeting high-value entities in both Pakistan and Bangladesh. Their efforts have been characterized by the deployment of sophisticated malware, including a new BurrowShell backdoor and a Rust-based remote access tool (RAT), to infiltrate sensitive infrastructure.
This recent campaign builds upon earlier operations highlighted by Cloudflare’s CloudForce One in 2024. Yet, it reflects a notable expansion in both the sophistication of tools used and the scale of their infrastructure, marking a worrying trend in digital espionage.
Arctic Wolf, a notable cybersecurity firm, has attributed this aggressive campaign to SloppyLemming with moderate confidence. They point to a consistent profile of victims in South Asia, the reuse of Cloudflare Workers infrastructure, and familiar patterns of domain typosquatting. Additionally, the group’s ongoing reliance on frameworks like Havoc, coupled with the introduction of custom malware, underscores a blend of established and novel tactics in their cyber toolkit.
Targeting High-Profile Entities
Arctic Wolf’s investigations reveal that SloppyLemming has focused its attacks primarily on critical infrastructure sectors within both countries. These sectors include government agencies, defense organizations, telecommunications, energy suppliers, financial institutions, and even nuclear regulatory bodies. The strategic targeting of such vital institutions aligns with broader geopolitical motivations, suggesting that these cyber operations are part of a larger intelligence collection agenda tied to Indian interests.
Dual Attack Chains: Innovative Tactics
SloppyLemming has adapted its tactics by utilizing two main spear-phishing attack chains for malware deployment. The primary chain involves the use of PDF lures that redirect the victims to ClickOnce application manifests. These manifests facilitate the delivery of a DLL sideloading bundle that exploits legitimate Microsoft binaries such as NGenTask.exe, enabling the loading of a malicious mscorsvc.dll loader along with an encrypted shellcode blob.
Upon decryption, this shellcode activates BurrowShell, which serves as an in-memory backdoor capable of executing a wide range of malicious activities including file operations, taking screenshots, running remote commands, and employing SOCKS proxy tunneling. Notably, BurrowShell disguises its command-and-control traffic as legitimate Windows Update communications over HTTPS, enhancing its stealth in an effort to avoid detection.
The secondary attack chain relies on macro-enabled Excel files designed to download and execute a renamed Microsoft binary. This binary subsequently sideloads sppc.dll, which functions as a Rust-based keylogger and RAT. Such a tool effectively logs keystrokes, manipulates files, conducts network reconnaissance, and captures screenshots, illustrating a significant pivot away from SloppyLemming’s previous reliance on traditional malware and pre-packaged frameworks like Cobalt Strike and Havoc.
Infrastructure Expansion: A Concerning Trend
Infrastructure analysis reveals that SloppyLemming has massively expanded its use of Cloudflare Workers. From January 2025 to January 2026, the group registered 112 workers.dev subdomains, a stark increase from the previously documented 13 domains in 2024. These domains closely imitate official Pakistani and Bangladeshi government and critical infrastructure entities, forming a crucial part of their payload delivery and command-and-control (C2) traffic architecture.
Despite their heightened operational sophistication, SloppyLemming has evidenced lapses in operational security, leaving multiple Workers instances exposed as open directories. This oversight has inadvertently disclosed staged malware, including components of BurrowShell and Havoc loaders, which were secured using distinct RC4 keys. This operational slip has allowed researchers to recover additional tools and affirm that SloppyLemming continues to lean on the Havoc framework alongside its innovative custom implants.
Impact, Attribution, and Defense Strategies
The implications of this campaign are profound, particularly concerning the national security interests of both Pakistan and Bangladesh. The targeting of nuclear regulatory bodies, defense logistics, and vital telecom and financial institutions clearly aligns with strategic intelligence collection priorities in the region. This aligns with assessments that SloppyLemming operates under the auspices of interests connected to India.
An internal event messaging mechanism referred to as "OneCollector" is embedded within the malware, designed to mimic legitimate Microsoft telemetry endpoints, further complicating detection efforts.
For organizations seeking to defend against these threats, Arctic Wolf recommends several crucial strategies. These include blocking confirmed malicious workers.dev hostnames, inspecting outbound HTTPS traffic that resembles Windows Update or utilizes specific Rust-tooling user agents, and employing detection content tailored specifically for BurrowShell and the Rust keylogger implants. Furthermore, mapping SloppyLemming’s activities to a wide array of MITRE ATT&CK techniques—including spear-phishing, DLL search order hijacking, and encrypted web C2—is paramount for understanding and mitigating the risks posed.
Defenders are advised to maintain strict controls over macros, carefully scrutinize PDFs and embedded URLs pointing to workers.dev domains, monitor for suspicious ClickOnce deployments, and keep an eye out for DLL sideloading involving legitimate Microsoft binaries in atypical locations.
In conclusion, SloppyLemming’s evolving tactics reflect an acute understanding of both technology and geopolitical realities, heralding a new chapter in cyber threats that underscores the pressing need for vigilance and robust defense mechanisms in South Asia.