SloppyLemming’s Espionage Tactics: Unveiling the BurrowShell Backdoor and Rust-Based RAT
A sophisticated cyber espionage campaign has been identified, targeting critical sectors in Pakistan and Bangladesh. The threat actor, dubbed SloppyLemming, has been active since 2021 and is believed to be aligned with Indian interests. Also known by aliases such as Outrider Tiger and Fishing Elephant, this group has recently deployed two advanced tools: a custom backdoor named BurrowShell and a Rust-based Remote Access Trojan (RAT) equipped with keylogging capabilities.
Attack Vectors and Methodologies
Between January 2025 and January 2026, SloppyLemming orchestrated a series of attacks utilizing two primary vectors:
1. PDF-Based Spear-Phishing: Victims received PDF documents displaying blurred content accompanied by a deceptive Download file button. Clicking this button redirected users to a ClickOnce application manifest, which clandestinely initiated a multi-stage malware deployment on their systems.
2. Macro-Enabled Excel Spreadsheets: In this approach, recipients were sent Excel files embedded with macros. Once these macros were enabled, they discreetly downloaded and executed malicious payloads from servers controlled by the attackers.
Both attack vectors exploited DLL search order hijacking, a technique where malicious DLLs are placed alongside legitimate Microsoft binaries. This method allows the execution of harmful code within trusted processes, effectively bypassing standard security measures.
Infrastructure and Targeted Entities
The scale of SloppyLemming’s operations is underscored by the extensive infrastructure supporting the campaign. Researchers identified 112 unique Cloudflare Workers domains registered between January 2025 and January 2026—a significant increase from the 13 domains documented in previous reports. These domains were meticulously crafted to impersonate legitimate government entities, including the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank. Notably, July 2025 saw a peak in activity, with 42 new domains registered in that month alone.
The sectors targeted in Pakistan encompassed nuclear oversight, defense logistics, telecommunications, and government administration. In Bangladesh, the focus was on energy utilities, financial institutions, and media organizations. This targeting aligns with intelligence-gathering objectives pertinent to regional dynamics in South Asia, indicating a well-organized and sustained espionage effort.
Deep Dive into BurrowShell’s Infection Mechanism
BurrowShell operates as an in-memory shellcode implant, primarily delivered through the ClickOnce attack vector. The infection sequence is as follows:
1. Loader Activation: A malicious loader named `mscorsvc.dll` is executed by a renamed Microsoft .NET binary (`NGenTask.exe`), which is presented as `OneDrive.exe`. Both files reside in the same directory.
2. Execution Environment Verification: Before proceeding, the loader verifies if the parent process is operating from an approved directory. If this check fails, the malware terminates to evade detection in analysis environments.
3. Persistence Establishment: Upon passing the verification, the loader creates a registry entry under `Software\Microsoft\Windows\CurrentVersion\Run`, ensuring that `OneDrive.exe` executes upon each system reboot, thereby maintaining persistence.
4. Payload Deployment: The loader reads an RC4-encrypted file named `system32.dll` and decrypts it using a hardcoded 32-character key. This process injects BurrowShell directly into memory, allowing it to operate without leaving traces on the disk, which significantly reduces the likelihood of detection by file-based security scanners.
Once active, BurrowShell communicates with its command-and-control (C2) server over port 443, masquerading its traffic as legitimate Windows Update communications. After registering the infected host’s system details, it enters a continuous loop, awaiting commands from the C2 server. The implant supports a range of commands, including file operations, screenshot capture, shell command execution, and SOCKS proxy tunneling.
Rust-Based RAT and Additional Capabilities
In addition to BurrowShell, SloppyLemming deployed a Rust-based Remote Access Trojan (RAT) through the macro-enabled Excel spreadsheet attack vector. This RAT extends the group’s capabilities by incorporating:
– Keylogging: Recording keystrokes to capture sensitive information such as passwords and confidential communications.
– Port Scanning: Identifying open ports on the network to discover additional vulnerabilities.
– Network Enumeration: Mapping the network to understand its structure and identify potential targets for lateral movement.
Recommendations for Mitigation
Organizations operating within government, defense, and critical infrastructure sectors are advised to implement the following defensive measures:
– Email Security Enhancements: Configure email security tools to block PDF files containing embedded URLs that point to Cloudflare Workers subdomains.
– Macro Execution Policies: Disable macro execution in Office documents received from external sources to prevent automatic execution of malicious code.
– Network Monitoring: Vigilantly monitor network traffic for connections to `.workers.dev` domains and enable SSL/TLS inspection to scrutinize encrypted traffic directed toward suspicious destinations.
– Endpoint Detection: Establish rules to flag instances where `NGenTask.exe` or `phoneactivate.exe` load DLLs from non-standard paths. Additionally, monitor for unexpected entries in the `CurrentVersion\Run` registry key.
– Security Awareness Training: Conduct regular training sessions to educate employees about the dangers of spear-phishing and the importance of not enabling macros or clicking on unverified links.
By adopting these measures, organizations can bolster their defenses against sophisticated threats like those posed by SloppyLemming, thereby safeguarding sensitive information and maintaining operational integrity.
