SloppyLemming Espionage Campaign Targets South Asian Governments

An India-linked threat actor tracked as SloppyLemming has conducted a year-long espionage campaign targeting government agencies and critical infrastructure operators in Pakistan, Bangladesh, and Sri Lanka. Arctic Wolf researchers documented the operation spanning January 2025 through January 2026, revealing two newly identified malware families and a significant infrastructure expansion.

The campaign's targets align with Indian strategic interests: Pakistan's nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure; Bangladesh's energy utilities and financial institutions. The scope and targeting pattern is consistent with state-directed intelligence collection rather than financially motivated cybercrime.

BurrowShell and Rust RAT

Arctic Wolf documented two malware families deployed across the campaign.

BurrowShell is a full-featured backdoor written in an unspecified compiled language. Capabilities include file system manipulation, screenshot capture, remote shell execution, and SOCKS proxy functionality for tunneling additional traffic. The implant disguises its command-and-control traffic as Windows Update communications, using RC4 encryption with 32-character keys to obfuscate payloads.

The second tool is a Rust-based remote access trojan with integrated keylogging. The choice of Rust represents an evolution in SloppyLemming's tooling—previous campaigns relied on more traditional compiled languages. The RAT also includes port scanning and network enumeration features, suggesting post-compromise lateral movement objectives.

Delivery Chain

Initial access follows two primary paths.

The first uses spear-phishing emails containing PDF lures with blurred content and a fake "Download file" button. Clicking the button redirects victims to a ClickOnce application manifest that silently deploys a multi-stage malware chain. ClickOnce abuse continues to be popular among threat actors because it bypasses many email security controls—the actual malware download happens through Windows mechanisms rather than direct attachment.

The second path uses macro-enabled Excel documents that initiate DLL side-loading. The attackers deploy a legitimate Microsoft .NET runtime executable (NGenTask.exe) alongside a malicious loader (mscorsvc.dll). When NGenTask.exe runs, it loads the malicious DLL, which then deploys the final payload.

The lure themes targeted regional sensitivities. Arctic Wolf observed documents impersonating the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank.

112 Cloudflare Workers Domains

The campaign infrastructure expanded dramatically compared to prior SloppyLemming operations. Arctic Wolf identified 112 unique Cloudflare Workers domains registered between January 2025 and January 2026—an eight-fold increase from the 13 domains documented in September 2024 reporting.

Cloudflare Workers abuse provides several operational advantages: legitimate-looking domain names, automatic TLS certificates, geographic distribution, and the general trust that Cloudflare infrastructure carries with corporate security tools. Many organizations whitelist Cloudflare traffic, reducing the likelihood of detection.

The domains followed government-themed typosquatting patterns, designed to appear legitimate to targets expecting communications from their own agencies.

Attribution Context

SloppyLemming has operated since at least 2021 under various names including Outrider Tiger and Fishing Elephant. The group's consistent targeting of Pakistan, Bangladesh, and regional neighbors aligns with Indian government intelligence priorities. Arctic Wolf characterized the threat actor as operating with "moderate capability," noting tradecraft overlaps with SideWinder campaigns documented by Trellix in October 2025.

India-nexus cyber operations have escalated alongside regional tensions. The campaign's focus on nuclear regulatory bodies and defense logistics in Pakistan suggests intelligence collection priorities rather than disruptive intent—at least for now.

Detection and Defense

Organizations in the targeted regions should:

1. Block known infrastructure — The 112 Cloudflare Workers domains should be added to blocklists where identified
2. Inspect ClickOnce traffic — Unusual ClickOnce application deployments warrant investigation
3. Monitor for RC4 traffic — BurrowShell's Windows Update masquerading may be detectable through traffic analysis
4. Review DLL loading — NGenTask.exe loading mscorsvc.dll from unusual locations is a strong indicator

The campaign demonstrates that regional APT groups continue developing custom tooling and expanding infrastructure. For organizations operating in South Asia, state-sponsored threats require dedicated detection engineering and threat intelligence investment.

We've covered similar regional APT activity in Chinese espionage campaigns affecting South Asia, and nation-state targeting of critical infrastructure demonstrates the broader pattern of telecommunications sector targeting. International law enforcement continues pushing back—Interpol's Operation Sentinel recently arrested 574 individuals across Africa for cyber-enabled crimes.