SloppyLemming Unleashes Dual Malware Assault on South Asian Nations in 2025-2026 Cyber Onslaught

In a chilling escalation of cyber warfare, the elusive threat actor known as SloppyLemming has launched a sophisticated, multi-pronged malware campaign targeting critical government and infrastructure entities across Pakistan and Bangladesh. Cybersecurity powerhouse Arctic Wolf has exposed this alarming operation, which ran from January 2025 to January 2026, revealing a calculated assault that blends cutting-edge programming languages with classic social engineering tactics.

A New Era of Digital Espionage: Rust Enters the Battlefield

For years, SloppyLemming operated in the shadows, relying on traditional compiled languages and borrowed frameworks like Cobalt Strike, Havoc, and the infamous NekroWire RAT. But this campaign marks a pivotal shift—the introduction of Rust-based malware, signaling a dangerous evolution in the group’s capabilities. This move isn’t just technical; it’s strategic, reflecting a willingness to innovate and adapt in the ever-escalating cyber arms race.

The group, also tracked under the monikers Outrider Tiger and Fishing Elephant, has long targeted government, law enforcement, energy, telecommunications, and technology sectors in Pakistan, Sri Lanka, Bangladesh, and China. Now, their sights are set on even more sensitive targets, including Pakistan’s nuclear regulatory bodies and defense logistics organizations, as well as Bangladesh’s energy utilities and financial institutions.

The Anatomy of a Cyber Attack: Two Chains, Two Threats

SloppyLemming’s latest campaign is a masterclass in multi-vector cyber warfare, employing two distinct attack chains to maximize impact and evade detection.

Chain One: The PDF Deception

The first attack vector begins with a spear-phishing email, a classic but highly effective tactic. Victims are lured by PDF documents that appear legitimate but contain URLs designed to redirect them to ClickOnce application manifests. These manifests deploy a legitimate Microsoft .NET runtime executable, “NGenTask.exe,” alongside a malicious loader, “mscorsvc.dll.”

Here’s where the sophistication kicks in: the loader uses DLL side-loading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell. This isn’t just any backdoor—it’s a full-featured espionage tool capable of file system manipulation, screenshot capture, remote shell execution, and even SOCKS proxy capabilities for network tunneling.

What makes BurrowShell particularly insidious is its ability to masquerade command-and-control (C2) traffic as Windows Update service communications, effectively blending in with normal network activity. To further protect its payload, the malware employs RC4 encryption with a 32-character key, making it a formidable adversary for even the most advanced security systems.

Chain Two: The Excel Trap

The second attack chain is equally devious, leveraging Excel documents containing malicious macros to drop a Rust-based keylogger. But this isn’t just a simple keylogger—it’s a multifunctional tool that also conducts port scanning and network enumeration, providing the attackers with a comprehensive view of their target’s digital infrastructure.

A Web of Deception: Cloudflare Workers and Typo-Squatting

Arctic Wolf’s investigation uncovered a staggering 112 Cloudflare Workers domains registered during the campaign’s one-year timeframe—an eight-fold increase from the 13 domains flagged by Cloudflare in September 2024. This rapid expansion of infrastructure underscores the scale and sophistication of SloppyLemming’s operations.

The campaign’s links to SloppyLemming are further cemented by the continued exploitation of Cloudflare Workers infrastructure with government-themed typo-squatting patterns, the deployment of the Havoc C2 framework, and consistent victimology patterns. These tactics not only demonstrate the group’s technical prowess but also their deep understanding of social engineering and psychological manipulation.

Echoes of Past Campaigns: SideWinder Connections

Interestingly, some aspects of SloppyLemming’s tradecraft bear striking similarities to a recent SideWinder campaign documented by Trellix in October 2025. Both groups employ ClickOnce-enabled execution, suggesting a potential overlap in tactics or even collaboration between these cybercriminal entities.

The Bigger Picture: Strategic Competition in South Asia

The targeting of Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure—alongside Bangladeshi energy utilities and financial institutions—aligns with intelligence collection priorities consistent with regional strategic competition in South Asia. This isn’t just cybercrime; it’s cyber espionage with geopolitical implications.

The deployment of dual payloads—the in-memory shellcode BurrowShell for C2 and SOCKS proxy operations, and the Rust-based keylogger for information stealing—suggests that SloppyLemming maintains flexibility to deploy appropriate tools based on target value and operational requirements. This adaptability is a hallmark of advanced persistent threat (APT) groups and underscores the need for equally sophisticated defensive measures.

Conclusion: A Wake-Up Call for Cybersecurity

The SloppyLemming campaign is more than just a series of cyber attacks; it’s a wake-up call for governments, businesses, and individuals alike. As cyber threats become increasingly sophisticated, the need for robust, multi-layered security strategies has never been more critical. From advanced threat detection systems to employee training on phishing awareness, the fight against cybercrime requires a comprehensive, proactive approach.

As we move further into the digital age, one thing is clear: the battle for cybersecurity is far from over. Groups like SloppyLemming are constantly evolving, and it’s up to us to stay one step ahead. The question is, are we ready for the next wave of cyber warfare?

Tags & Viral Phrases:
SloppyLemming, Rust malware, cyber espionage, South Asia, Pakistan, Bangladesh, Arctic Wolf, BurrowShell, keylogger, spear-phishing, ClickOnce, DLL side-loading, Havoc C2, Outrider Tiger, Fishing Elephant, SideWinder, Cloudflare Workers, typo-squatting, nuclear regulatory bodies, defense logistics, energy utilities, financial institutions, strategic competition, geopolitical implications, advanced persistent threat, cyber warfare, digital age, cybersecurity, proactive defense, multi-layered security, employee training, phishing awareness, threat detection, cyber arms race, social engineering, psychological manipulation, geopolitical implications, cybercriminal entities, cybercriminal collaboration, cybercriminal tactics, cybercriminal strategies, cybercriminal operations, cybercriminal infrastructure, cybercriminal evolution, cybercriminal sophistication, cybercriminal adaptability, cybercriminal flexibility, cybercriminal prowess, cybercriminal understanding, cybercriminal manipulation, cybercriminal espionage, cybercriminal warfare, cybercriminal threats, cybercriminal security, cybercriminal defense, cybercriminal strategies, cybercriminal tactics, cybercriminal operations, cybercriminal infrastructure, cybercriminal evolution, cybercriminal sophistication, cybercriminal adaptability, cybercriminal flexibility, cybercriminal prowess, cybercriminal understanding, cybercriminal manipulation, cybercriminal espionage, cybercriminal warfare, cybercriminal threats, cybercriminal security, cybercriminal defense.

,