SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains

A threat actor known as SloppyLemming has been linked to a series of sophisticated cyberattacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh between January 2025 and January 2026. The campaign, uncovered by Arctic Wolf, represents a significant evolution in the group's capabilities, particularly through the adoption of Rust programming language for malware development.

Dual Attack Chains and New Malware Families

The attackers employed two distinct infection chains to deliver their payloads. The first chain uses spear-phishing emails containing PDF lures that redirect victims to ClickOnce application manifests. These manifests deploy a legitimate Microsoft .NET runtime executable alongside a malicious loader that employs DLL side-loading techniques to decrypt and execute a custom x64 shellcode implant called BurrowShell.

BurrowShell functions as a full-featured backdoor, providing the threat actors with file system manipulation capabilities, screenshot capture, remote shell execution, and SOCKS proxy functionality for network tunneling. The malware cleverly masquerades its command-and-control communications as Windows Update service traffic and uses RC4 encryption with a 32-character key to protect its payloads.

Rust-Based Keylogger and Network Reconnaissance

The second attack chain delivers a Rust-based keylogger through Excel documents containing malicious macros. This malware not only captures keystrokes but also includes port scanning and network enumeration capabilities, suggesting the attackers are conducting extensive reconnaissance on compromised networks.

The use of Rust represents a notable shift for SloppyLemming, which previously relied on traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT. This evolution demonstrates the group's growing sophistication and investment in developing proprietary tools.

Infrastructure and Targeting Patterns

Arctic Wolf's investigation revealed that the threat actor registered 112 Cloudflare Workers domains during the campaign period, marking an eight-fold increase from the 13 domains previously identified by Cloudflare in September 2024. The attackers continue to exploit Cloudflare Workers infrastructure with government-themed typo-squatting patterns.

The targeting aligns with regional strategic competition in South Asia, focusing on Pakistani nuclear regulatory bodies, defense logistics organizations, telecommunications infrastructure, Bangladeshi energy utilities, and financial institutions. This victimology pattern suggests intelligence collection priorities consistent with state-sponsored operations.

Attribution and Connections to Other Threat Actors

SloppyLemming, also tracked under the names Outrider Tiger and Fishing Elephant, has been active since at least 2022, targeting government, law enforcement, energy, telecommunications, and technology entities across Pakistan, Sri Lanka, Bangladesh, and China. The group has previously deployed malware families like Ares RAT and WarHawk, often attributed to SideCopy and SideWinder respectively.

Some aspects of the campaign's tradecraft, particularly the use of ClickOnce-enabled execution, overlap with a recent SideWinder campaign documented by Trellix in October 2025. The deployment of dual payloads - BurrowShell for command-and-control and SOCKS proxy operations, and the Rust-based keylogger for information stealing - demonstrates the threat actor's operational flexibility and ability to deploy appropriate tools based on target value and requirements.

The campaign highlights the ongoing threat to government and critical infrastructure organizations in South Asia and underscores the importance of robust email security, network monitoring, and endpoint protection to defend against increasingly sophisticated attack techniques.