SloppyLemming Targets Pakistan and Bangladesh Governments Using Two Chains of Viruses
A set of threat functions known as The SloppyLemming caused by a new set of attacks against government companies and critical infrastructure operators in Pakistan and Bangladesh.
The operation, according to Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two different attack chains to deliver the following malware families such as BurrowShell and a Rust-based keylogger.
“The use of the Rust programming language represents a significant change in the use of SloppyLemming’s tools, as a previous report documented the actor using only native compiled languages and enemy simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT,” the cybersecurity company said in a report shared with The Hacker News.
SloppyLemming is a moniker assigned to a threat actor known to target government, law enforcement, energy, telecommunications, and technology companies in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022. It is also tracked under the names Outrider Tiger and Fishing Elephant.
Previous campaigns mounted by the hacker group used malware families such as Ares RAT and WarHawk, commonly known as SideCopy and SideWinder, respectively.
ArcticWolf’s analysis of recent attacks revealed the use of phishing emails to deliver macro-enabled PDF and Excel documents to start infection chains. It described the scary actor as working with limited skill.
The PDF decoys contain URLs designed to lead victims to the ClickOnce application manifest, which then releases a Microsoft .NET runtime executable (“NGenTask.exe”) and a malicious loader (“mscorsvc.dll”). The loader is started using a sideloading DLL to extract and install the x64 shellcode for the installation codenamed BurrowShell.
“BurrowShell is a full-featured backdoor that provides the threat actor with file system manipulation, screenshot capabilities, remote shell execution, and SOCKS proxy capabilities for network tuning,” said Arctic Wolf. “The seal conducts its control and control (C2) traffic as a Windows Update service connection and uses RC4 encryption with a 32-character key to protect the upload.”
The second series of attacks uses Excel documents that contain malicious macros to dump the key malware, while also incorporating features to perform port scanning and network enumeration.
Further investigation of the threat actor’s infrastructure identified 112 Cloudflare Workers domains registered in a one-year period, marking an eight-fold jump from the 13 domains flagged by Cloudflare in September 2024.
Campaign links to SloppyLemming are based on ongoing exploitation of the Cloudflare Workers infrastructure with government-themed typing patterns, Havoc C2 framework deployments, DLL sideloading techniques, and torture patterns.
It is worth noting that some aspects of the threat actor’s trade, including the use of ClickOnce-enabled execution, overlap with the latest SideWinder campaign written by Trellix in October 2025.
“In particular, the targeting of Pakistan’s nuclear regulatory agencies, defense organizations, and telecommunications infrastructure – as well as Bangladeshi energy resources and financial institutions – is accompanied by important intelligence gathering related to regional strategic competition in South Asia,” said Arctic Wolf.
“The deployment of two payloads – C2’s in-memory BurrowShell shellcode and SOCKS proxy functionality, and a Rust-based keylogger to steal information – suggests that a threat actor maintains the flexibility to use appropriate tools based on target value and operational requirements.”
