SloppyLemming’s Sophisticated Cyber Espionage Campaign Targets Pakistan and Bangladesh
A cyber espionage group known as SloppyLemming, also referred to as Outrider Tiger and Fishing Elephant, has been conducting a sustained and sophisticated campaign against government entities and critical infrastructure operators in Pakistan and Bangladesh. This campaign, active from January 2025 to January 2026, has employed advanced malware tools and intricate attack chains to infiltrate and compromise high-value targets in the region.
Background and Attribution
SloppyLemming has been active since at least 2021, with a history of targeting sectors such as government, law enforcement, energy, telecommunications, and technology across South and East Asia. The group’s activities have been observed in countries including Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. Previous campaigns have utilized malware families like Ares RAT and WarHawk, often associated with other threat actors such as SideCopy and SideWinder. The current campaign’s attribution to SloppyLemming is based on consistent exploitation of Cloudflare Workers infrastructure, deployment of the Havoc command-and-control (C2) framework, use of DLL side-loading techniques, and targeting patterns focused on South Asian government and critical infrastructure entities.
Attack Vectors and Methodology
The campaign employs two primary attack chains, both initiated through spear-phishing emails designed to deceive recipients into executing malicious payloads:
1. PDF Lure with ClickOnce Deployment:
– Victims receive emails containing PDF documents that appear legitimate but are embedded with blurred content and a fake Download file button.
– Clicking the button redirects the victim to a ClickOnce application manifest, which silently installs a multi-stage malware chain.
– This chain deploys a legitimate Microsoft .NET runtime executable (NGenTask.exe) alongside a malicious loader (mscorsvc.dll).
– The loader utilizes DLL side-loading to decrypt and execute a custom x64 shellcode implant named BurrowShell.
2. Macro-Enabled Excel Documents:
– Another vector involves Excel spreadsheets embedded with malicious macros.
– When opened, these documents download and execute malicious payloads from attacker-controlled servers.
– This method also employs DLL side-loading techniques to execute the malware within trusted Microsoft processes.
Malware Tools: BurrowShell and Rust-Based Keylogger
The campaign introduces two newly documented malware tools:
1. BurrowShell:
– An in-memory shellcode implant delivered through the ClickOnce attack chain.
– Provides the threat actor with capabilities such as file system manipulation, screenshot capture, remote shell execution, and SOCKS proxy for network tunneling.
– Masquerades its C2 traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection.
2. Rust-Based Keylogger:
– Delivered via the macro-enabled Excel documents.
– Equipped with keylogging capabilities, remote command execution, file operations, port scanning, and network enumeration.
– The use of the Rust programming language signifies an evolution in SloppyLemming’s tooling, moving beyond traditional compiled languages and adversary simulation frameworks.
Infrastructure and Operational Security
The campaign’s infrastructure is notably extensive:
– Researchers identified 112 unique Cloudflare Workers domains registered between January 2025 and January 2026, a significant increase from the 13 domains documented in prior reporting.
– These domains were crafted to impersonate legitimate government entities, including the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank.
– The peak of domain registrations occurred in July 2025, with 42 new domains added in that month alone.
Despite the sophisticated setup, operational security lapses were observed:
– Multiple Cloudflare Workers instances were left as open directories, unintentionally exposing staged malware components, including BurrowShell and Havoc loaders secured with distinct RC4 keys.
– This exposure provided researchers with rare visibility into the group’s infrastructure and tooling.
Targeted Sectors and Geopolitical Implications
The campaign’s targeting aligns with intelligence collection priorities consistent with regional strategic competition in South Asia:
– Pakistan:
– Nuclear regulatory bodies, defense logistics organizations, telecommunications infrastructure, and government administration.
– Bangladesh:
– Energy utilities, financial institutions, and media organizations.
This pattern suggests a focus on gathering intelligence related to critical infrastructure and governmental operations, potentially to gain strategic advantages in the region.
Recommendations for Mitigation
Organizations, especially those in the targeted sectors, should consider implementing the following measures to mitigate the risk posed by such sophisticated cyber espionage campaigns:
– Email Security:
– Implement advanced email filtering solutions to detect and block spear-phishing attempts.
– Educate employees on recognizing phishing emails and the dangers of opening attachments or clicking on links from unknown sources.
– Macro Management:
– Disable macros in Microsoft Office documents by default and only enable them for trusted documents.
– Application Control:
– Monitor and restrict the execution of ClickOnce applications, especially those downloaded from untrusted sources.
– Network Monitoring:
– Implement network monitoring to detect unusual traffic patterns, such as communications masquerading as Windows Update services.
– Endpoint Detection and Response (EDR):
– Deploy EDR solutions to detect and respond to malicious activities, including DLL side-loading and unauthorized process executions.
– Regular Updates and Patch Management:
– Ensure all systems and software are regularly updated to mitigate vulnerabilities that could be exploited by attackers.
Conclusion
The SloppyLemming cyber espionage campaign underscores the evolving threat landscape in South Asia, highlighting the need for robust cybersecurity measures and vigilance among organizations operating in the region. The use of advanced malware tools, sophisticated attack chains, and extensive infrastructure demonstrates the capabilities of nation-state actors in conducting prolonged and targeted cyber operations.
