SloppyLemming Targets South Asian Governments with New Malware

by CyberNewsAI Admin
Threat IntelligenceData Breaches

Executive Summary

A threat activity cluster tracked as SloppyLemming (alternatively Outrider Tiger, Fishing Elephant) has initiated a new campaign targeting government and critical infrastructure entities in Pakistan and Bangladesh. The campaign, active between January 2025 and January 2026, employs dual attack chains to deploy two distinct malware payloads: a full-featured backdoor named BurrowShell and a new Rust-based keylogger. The adversary demonstrates an evolution in tooling, notably the adoption of the Rust programming language and a significant expansion of its Cloudflare Workers-based C2 infrastructure. The operation's TTPs and victimology align with intelligence collection priorities consistent with regional strategic competition.

Key Findings

Threat Actor & Victimology

SloppyLemming continues to focus its operations on South Asian targets. This campaign specifically targeted Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure, alongside Bangladeshi energy utilities and financial institutions. The actor is assessed as operating with moderate capability, showing tactical flexibility by deploying different tools based on operational needs.

Dual Attack Chains

Two distinct infection vectors have been identified:

BurrowShell Deployment: Spear-phishing emails distribute PDF lures containing URLs. These URLs lead to ClickOnce application manifests, which use DLL side-loading to execute the BurrowShell implant via a legitimate NGenTask.exe executable and a malicious mscorsvc.dll loader.

Keylogger Deployment: A second vector uses Excel documents with malicious macros to drop and execute a Rust-based keylogger payload.

Malware Analysis

  • BurrowShell: A custom x64 shellcode implant providing full backdoor functionality. Its capabilities include file system manipulation, screenshot capture, remote shell execution, and SOCKS proxying for network tunneling. C2 traffic is obfuscated to masquerade as legitimate Windows Update service communications and is encrypted using RC4 with a 32-character key.
  • Rust-based Keylogger: This malware is designed for information stealing and also incorporates features for port scanning and network enumeration, enabling further reconnaissance within compromised networks.

Infrastructure & Tool Evolution

The threat actor has significantly scaled its operational infrastructure, registering 112 Cloudflare Workers domains between January 2025 and January 2026—an eight-fold increase from the 13 domains reported in September 2024. This infrastructure utilizes government-themed typo-squatting patterns. The adoption of Rust represents a notable evolution from the actor's previously observed use of traditional compiled languages and frameworks like Cobalt Strike, Havoc, and the custom NekroWire RAT.

Impact Assessment

The dual-payload strategy indicates the actor's intent to establish persistent C2 access with BurrowShell while simultaneously exfiltrating sensitive credentials and conducting network reconnaissance with the keylogger. The targeting of critical government and infrastructure sectors suggests the primary objective is espionage and intelligence collection to gain a strategic advantage. Overlaps in TTPs, such as the use of ClickOnce, with the SideWinder APT group further highlight the sophisticated nature of threats in this region.

Mitigation & Recommendations

  • Email Security: Enhance email gateway filtering to detect and block spear-phishing attempts, particularly those containing suspicious URLs or macro-enabled documents.
  • Application Control: Restrict or monitor the execution of ClickOnce applications from untrusted sources. Implement policies to prevent unauthorized DLL side-loading, particularly involving processes like NGenTask.exe.
  • Macro Security: Enforce Group Policy settings to disable or restrict macros from Office documents originating from the internet.
  • Network Traffic Analysis: Monitor outbound traffic for anomalies, especially communications to Cloudflare Workers domains. Implement deep packet inspection to identify C2 traffic masquerading as legitimate services like Windows Update.
  • Endpoint Detection & Response (EDR): Deploy EDR solutions with rules to detect shellcode execution, process injection, and behaviors associated with keylogging and screenshot capture.

Indicators of Compromise (IOCs)

Specific file hashes and C2 domains were not provided in the source report. However, security teams should hunt for the following patterns:

  • Network: Connections to newly registered Cloudflare Workers domains with government-themed typo-squatting names.
  • Endpoint: Execution of NGenTask.exe loading a non-standard or unsigned mscorsvc.dll. Presence of malicious Excel macros initiating child processes.
  • TTPs: Spear-phishing with PDF lures leading to ClickOnce executables (.application).

// INTELLIGENCE_SOURCES

[The Hacker News]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW