Cyber: Sloppylemming Targets Pakistan And Bangladesh Governments Using...

The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh.

The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger.

"The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT," the cybersecurity company said in a report shared with The Hacker News.

SloppyLemming is the moniker assigned to a threat actor that's known to target government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022. It's also tracked under the names Outrider Tiger and Fishing Elephant.

Prior campaigns mounted by the hacking crew have leveraged malware families like Ares RAT and WarHawk, which are often attributed to SideCopy and SideWinder, respectively.

ArcticWolf's analysis of the latest attacks has uncovered the use of spear-phishing emails to deliver PDF lures and macro-enabled Excel documents to kick-start the infection chains. It described the threat actor as operating with moderate capability.

The PDF decoys contain URLs designed to lead victims to ClickOnce application manifests, which then deploy a legitimate Microsoft .NET runtime executable ("NGenTask.exe") and a malicious loader ("mscorsvc.dll"). The loader is launched using DLL side-loading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell.

"BurrowShell is a full-featured backdoor providing the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling," Arctic Wolf said. "The implant masquerades its command-and-control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection."

The second attack chain employs Excel documents containing malicious macros to drop the keylogger malware, while also incorporating features to conduct port scanning and network enumeration.

Further investigation of the threat actor's infrastructure has identified

Source: The Hacker News