Full Report
New data from Arctic Wolf Labs shows that a threat actor known as SloppyLemming, also called Outrider Tiger... The post SloppyLemming espionage surge hitting defense, telecom, energy and finance in Pakistan and Bangladesh appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: SloppyLemming
## Attribution & Identity
* **Primary Identification:** SloppyLemming
* **Aliases:** Outrider Tiger, Fishing Elephant
* **Attribution Confidence:** Moderate (based on infrastructure use, tradecraft consistency, and victimology alignment with documented priorities).
* **Associated Activity:** Continuation of operations previously documented by Cloudflare's CloudForce One in September 2024.
## Activity Summary
SloppyLemming conducted an extensive cyber espionage campaign between January 2025 and January 2026, focusing on government entities and critical infrastructure operators across South Asia. This activity represents an expansion of the group's publicly documented activity scope, with researchers noting intelligence collection priorities consistent with regional strategic competition.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Spear-phishing utilizing:
* PDF documents containing malicious URLs redirecting to ClickOnce application manifest files.
* Macro-enabled Excel spreadsheets that directly download and execute malicious binaries.
* **Execution & Evasion:**
* Multi-stage execution chains.
* DLL search order hijacking, abusing legitimate Microsoft binaries like `NGenTask[dot]exe` and `phoneactivate[dot]exe` to achieve code execution and evade detection.
* **Command and Control (C2):**
* Use of the **Havoc C2 framework**.
* Exploitation of **Cloudflare Workers infrastructure** for C2 communications and payload delivery.
* **Custom Tooling:**
* **BurrowShell:** An in-memory x64 shellcode backdoor supporting SOCKS proxy tunneling for lateral movement. Executes fifteen distinct commands (file manipulation, screenshot capture, shell commands, network pivoting).
* **Rust-based Keylogger:** Implant with expanded information-stealing capabilities, including remote command execution, file operations, and network reconnaissance.
## Targeting
* **Sectors:** Government, Defense, Telecommunications, Energy (Utilities), Financial Institutions, Nuclear Regulatory Bodies.
* **Geography:**
* **Primary Focus:** Pakistan and Bangladesh.
* **Secondary Focus:** Sri Lanka (defense-related entities).
* **Victims:**
* **Pakistan:** Nuclear regulatory bodies (e.g., PNRA), defense logistics organizations (e.g., National Logistics Corporation), telecommunications providers (e.g., PTCL).
* **Bangladesh:** Energy utilities (e.g., DESCO, PGCB), financial institutions.
* **General:** Government agencies, defense organizations.
## Tools & Infrastructure
* **Malware Families Used:** BurrowShell (custom backdoor), Custom Rust-based Keylogger, Havoc C2 framework.
* **Infrastructure:** 112 unique Cloudflare Workers domains used to impersonate Pakistani and Bangladeshi government entities for payload delivery and C2. Researchers noted operational security failures, with some C2 domains configured as open directories exposing malware components.
## Implications
The surge in activity and targeted focus on strategic sectors (defense, nuclear regulation, energy, telecom) in Pakistan and Bangladesh suggests alignment with intelligence collection priorities driven by regional strategic competition in South Asia. The group is actively upgrading its capabilities, evidenced by expanded tooling and the use of in-memory backdoors like BurrowShell for stealthier operations.
## Mitigations
(Specific mitigations based on the observed TTPs should focus on):
1. Enhanced detection for DLL search order hijacking attempts, particularly involving legitimate Microsoft binaries (`NGenTask[dot]exe`, `phoneactivate[dot]exe`).
2. Monitoring for suspicious activity originating from or communicating with Cloudflare Workers infrastructure, especially those mimicking government domains (typo-squatting).
3. Specific defense hardening for nuclear, defense, and critical infrastructure operators in Pakistan and Bangladesh.
4. Detection for SOCKS proxy tunneling activity indicative of lateral movement.
5. Security controls to prevent successful execution from malicious macro-enabled documents and suspicious ClickOnce manifests delivered via spear-phishing.