The threat activity cluster known as SloppyLemming is believed to be the result of new attacks targeting government agencies and critical infrastructure operators in Pakistan and Bangladesh.
According to Arctic Wolf, this activity occurred between January 2025 and January 2026. This activity involves the use of two different attack chains delivering malware families tracked as BurrowShell and Rust-based keyloggers.
“The use of the Rust programming language represents a significant evolution in SloppyLemming’s tools. Previous reports documented the attackers using only traditional compiled languages and borrowing adversarial simulation frameworks such as Cobalt Strike, Havoc, and a custom NekroWire RAT,” the cybersecurity firm said in a report shared with The Hacker News.
SloppyLemming is the nickname assigned to a threat actor known to target governments, law enforcement, energy, telecommunications, and technology companies in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022. It has also been tracked under the names Outrider Tiger and Fishing Elephant.
Previous campaigns launched by Hacking Team have utilized malware families such as Ares RAT and WarHawk, often driven by SideCopy and SideWinder, respectively.
Analysis of the latest attack by ArcticWolf reveals that spear phishing emails are used to deliver PDF lures and macro-enabled Excel documents to initiate infection chains. The attackers described themselves as operating at medium capacity.
The PDF decoy contains a URL designed to direct the victim to a ClickOnce application manifest, which deploys a legitimate Microsoft .NET runtime executable (‘NGenTask.exe’) and a malicious loader (‘mscorsvc.dll’). The loader is launched using DLL sideloading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell.
“BurrowShell is a full-featured backdoor that provides threat actors with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy functionality for network tunneling,” said Arctic Wolf. “The implant disguises command and control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection.”
The second attack chain uses an Excel document containing malicious macros to drop keylogger malware while also incorporating the ability to perform port scanning and network enumeration.
Further investigation into the threat actor’s infrastructure identified 112 Cloudflare Workers domains registered over the past year, an 8x increase from the 13 domains reported by Cloudflare in September 2024.
This campaign’s relationship with SloppyLemming is based on government-themed typosquatting patterns, deployment of the Havoc C2 framework, DLL sideloading techniques, and continued exploitation of Cloudflare Workers infrastructure by victimization patterns.
It is noteworthy that several aspects of the threat actor’s methodology, including the use of ClickOnce-enabled execution, overlap with the recent SideWinder campaign documented by Trellix in October 2025.
“Specifically, targeting Pakistan’s nuclear regulatory agency, defense logistics organization, and telecommunications infrastructure, along with Bangladeshi energy utilities and financial institutions, is consistent with intelligence gathering priorities consistent with South Asia’s regional strategic competition,” Arctic Wolf said.
“The dual payload deployment (in-memory shellcode BurrowShell for C2 and SOCKS proxy operations, and a Rust-based keylogger for information theft) suggests that the attackers maintain flexibility to deploy appropriate tools based on objective values and operational requirements.”
Source link
