Full Report
The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based
Analysis Summary
# Threat Actor: SloppyLemming
## Attribution & Identity
* **Primary Moniker:** SloppyLemming
* **Known Aliases/Associated Groups:** Outrider Tiger, Fishing Elephant.
* **Capability Assessment:** Described as operating with moderate capability.
* **Observed Overlap:** Some aspects of tradecraft overlap with recent SideWinder activity (e.g., ClickOnce-based execution).
## Activity Summary
* **Recent Campaign Timeline:** January 2025 to January 2026 (per Arctic Wolf).
* **Operation Focus:** Conducted fresh attacks against government entities and critical infrastructure operators.
* **Historical Scope:** Targeting government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022.
* **Prior Malware:** Previously leveraged Ares RAT and WarHawk.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails delivering PDF lures or macro-enabled Excel documents.
* **Execution Chain (PDF Lure):** PDF decoys contain URLs leading to ClickOnce application manifests, which deploy `NGenTask.exe` and a malicious loader (`mscorsvc.dll`).
* **Execution Chain (Macro):** Excel documents utilize malicious macros to drop secondary payloads.
* **Persistence/Delivery:** DLL side-loading technique used to launch the main implant.
* **C2 Traffic:** BurrowShell C2 traffic masquerades as Windows Update service communications.
* **Obfuscation:** Payload protection via RC4 encryption with a 32-character key.
* **Infrastructure Use:** Extensive exploitation of Cloudflare Workers infrastructure, showing an eight-fold increase in domain registration (112 domains registered in the campaign year).
* **Tooling Evolution:** Notable evolution from traditional compiled languages and borrowed frameworks (Cobalt Strike, Havoc, NekroWire RAT) to the incorporation of custom Rust-based tooling.
## Targeting
* **Sectors:** Government, Critical Infrastructure, Law Enforcement, Energy (utilities), Telecommunications, Financial Institutions, Defense Logistics, Nuclear Regulatory Bodies.
* **Geography:** Pakistan and Bangladesh (recent focus); historical targeting includes Sri Lanka and China.
* **Victims:** Specific targets mentioned include Pakistani nuclear regulatory bodies, defense logistics organizations, telecommunications infrastructure, and Bangladeshi energy utilities and financial institutions.
## Tools & Infrastructure
* **Malware Families Used:**
* BurrowShell (Custom, full-featured backdoor supporting shell execution, file system manipulation, screenshot capture, and SOCKS proxy capabilities).
* Rust-based keylogger (Used for information stealing, includes port scanning and network enumeration features).
* **Prior/Associated Tools:** Cobalt Strike, Havoc, NekroWire RAT, Ares RAT, WarHawk.
* **Infrastructure (C2):** 112 Cloudflare Workers domains registered during the campaign year, utilizing government-themed typo-squatting patterns. (No specific URLs/IPs provided in the context to defang).
## Implications
The actor exhibits increasing sophistication by adopting modern development languages (Rust) for tooling creation, suggesting a commitment to developing custom capabilities rather than solely relying on off-the-shelf frameworks. The strategic targeting of sensitive sectors in South Asia (nuclear bodies, defense, energy) strongly indicates intelligence gathering related to regional strategic competition. The massive increase in Cloudflare Workers utilization suggests an attempt to rapidly scale infrastructure while maintaining low detection profiles.
## Mitigations
* Monitor for spear-phishing emails utilizing PDF lures or macro-enabled documents targeting government/critical infrastructure employees.
* Implement robust defense against DLL side-loading techniques.
* Review network traffic for anomalous communications masquerading as Windows Update services, especially if RC4 decryption capabilities are implemented in security tooling.
* Monitor for the deployment of ClickOnce application manifests as initial execution vectors.
* Increase scrutiny on infrastructure leveraging Cloudflare Workers for command and control, specifically looking for government-themed typo-squatted domains.