SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
Source: The Hacker News
Ravie Lakshmanan
Mar 03, 2026 – Malware / Phishing
Overview
The threat‑activity cluster SloppyLemming has launched a new wave of attacks against government entities and critical‑infrastructure operators in Pakistan and Bangladesh. Arctic Wolf’s investigation shows the campaign ran from January 2025 through January 2026 and employed two distinct attack chains delivering the BurrowShell backdoor and a Rust‑based keylogger.
“The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary‑simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT,” the cybersecurity company said in a report shared with The Hacker News【https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/】.
Threat Actor Profile
- Name: SloppyLemming (also known as Outrider Tiger【https://www.crowdstrike.com/en-us/adversaries/outrider-tiger/】 and Fishing Elephant)
- Targets: Government, law‑enforcement, energy, telecommunications, and technology sectors in Pakistan, Sri Lanka, Bangladesh, and China (activity documented since at least 2022).
- Previous malware: Ares RAT and WarHawk, linked to SideCopy and SideWinder, respectively.
- Capability level: Moderate (as assessed by Arctic Wolf).
Attack Chains
1. PDF Lure Chain
-
Delivery: Spear‑phishing emails with malicious PDF attachments.
-
Execution: PDFs contain URLs that launch ClickOnce application manifests, which install:
- A legitimate Microsoft .NET runtime executable (
NGenTask.exe) - A malicious loader (
mscorsvc.dll)
- A legitimate Microsoft .NET runtime executable (
-
Technique: DLL side‑loading loads the malicious DLL, which decrypts and runs a custom x64 shellcode implant named BurrowShell.
“BurrowShell is a full‑featured backdoor providing the threat actor with file‑system manipulation, screenshot capture, remote shell execution, and SOCKS‑proxy capabilities for network tunneling,” Arctic Wolf said. “The implant masquerades its command‑and‑control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32‑character key for payload protection.”
2. Excel Macro Lure Chain
- Delivery: Spear‑phishing emails with macro‑enabled Excel documents.
- Payload: Malicious macros drop a Rust‑based keylogger and also perform port scanning and network enumeration.
Infrastructure
- Cloudflare Workers: 112 domains registered during the campaign period, an eight‑fold increase from the 13 domains flagged by Cloudflare in September 2024.
- Typo‑squatting: Government‑themed domains used for phishing lures.
- C2 Framework: Deployment of the Havoc framework【https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html】.
- Techniques: DLL side‑loading, ClickOnce‑based execution, and dual‑payload deployment.
Attribution and Tradecraft Overlap
-
Commonalities with SloppyLemming:
- Continued use of Cloudflare Workers with typo‑squatting.
- DLL side‑loading.
- Victimology matching previous campaigns.
-
Overlap with SideWinder:
- ClickOnce‑enabled execution techniques observed in a SideWinder campaign documented by Trellix (Oct 2025)【https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html】.
“In particular, the targeting of Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure—alongside Bangladeshi energy utilities and financial institutions—aligns with intelligence‑collection priorities consistent with regional strategic competition in South Asia,” Arctic Wolf said.
“The deployment of dual payloads—the in‑memory shellcode BurrowShell for C2 and SOCKS proxy operations, and a Rust‑based keylogger for information stealing—suggests the threat actor maintains flexibility to deploy appropriate tools based on target value and operational requirements.”
Source: Arctic Wolf report (shared with The Hacker News)
Found this article interesting?
Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.