A suspected India-aligned cyber group, dubbed SloppyLemming, has been actively executing an espionage operation targeting various sectors in Pakistan and Bangladesh. These include government bodies, defense sectors, and critical infrastructure operators.
Details of the Campaign
Since 2021, SloppyLemming, also known by aliases Outrider Tiger and Fishing Elephant, has been deploying sophisticated malware tools. Between January 2025 and January 2026, they introduced two notable tools: a backdoor named BurrowShell and a Rust-based remote access trojan (RAT) with keylogging functionalities.
The attackers utilized two distinct spear-phishing methods to penetrate systems. The first method involved PDF documents with a blurred appearance accompanied by a deceptive “Download file” button, leading victims to a ClickOnce application that installed a multi-stage malware chain.
Attack Strategies and Tools
The second spear-phishing technique employed macro-enabled Excel spreadsheets. When opened, these sheets downloaded malicious payloads from attacker servers. Arctic Wolf researchers linked both strategies as part of a coordinated assault, utilizing DLL search order hijacking to execute malware within trusted Microsoft processes.
SloppyLemming’s infrastructure showed substantial growth, with Arctic Wolf tracing 112 Cloudflare Workers domains registered between January 2025 and January 2026. These domains mimicked legitimate government entities in Pakistan and Bangladesh, with registrations peaking in July 2025.
BurrowShell and Rust RAT Mechanics
The BurrowShell implant is an in-memory shellcode introduced through the ClickOnce method. A malicious DLL, mscorsvc.dll, placed alongside a Microsoft .NET binary, initiates the attack. If the malware’s checks confirm the process is legitimate, it persists by modifying system registry entries and decrypts an encrypted payload, BurrowShell, into memory.
Once operational, BurrowShell communicates with command-and-control servers, camouflaging its traffic as Windows Update. The Rust-based RAT, delivered via Excel macros, enhances capabilities by logging keystrokes and performing network scans.
Defensive Measures and Recommendations
Organizations in affected sectors should adopt specific cybersecurity measures. Blocking PDFs with embedded URLs, disabling macro execution in received documents, monitoring connections to suspicious domains, and inspecting encrypted traffic are crucial steps.
Further, endpoint security should alert on unusual DLL loading and registry modifications. Continuous security training is vital, as both attack strategies depend on user actions like clicking links or enabling macros.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. For more insights, set CSN as your preferred news source on Google.
