A notorious cyber-attack group known as SloppyLemming has been linked to a large-scale malware campaign targeting government agencies and critical infrastructure operators in Pakistan and Bangladesh, according to a recent report by cybersecurity firm Arctic Wolf. The threat activity, observed between January 2025 and January 2026, used dual malware chains to deliver sophisticated payloads aimed at espionage and data theft.
SloppyLemming — tracked by security researchers under other aliases such as Outrider Tiger and Fishing Elephant — has a history of targeting government, law enforcement, energy, telecommunications, and high-tech sectors across South Asia and beyond. The recent campaign marks a notable evolution in the group’s toolkit, including the deployment of both a powerful backdoor and a Rust-based keylogger to achieve varied malicious outcomes.
Two Malware Chains, One Campaign
According to the Arctic Wolf analysis, the actor used two distinct attack chains to penetrate targeted systems:
- BurrowShell Backdoor: Delivered via carefully crafted spear-phishing emails with malicious PDF attachments, this payload gives attackers full remote access. Once installed, it enables control over the file system, allows the capture of screenshots, opens a remote shell for command execution, and even sets up a SOCKS proxy for network tunnelling. The malicious traffic is disguised to resemble legitimate Windows Update communication, using RC4 encryption with a 32-character key to obfuscate command-and-control (C2) communication.
- Rust-Based Keylogger: The second infection chain is embedded in macro-enabled Excel documents. When opened, it drops a Rust-based keylogger and reconnaissance tools capable of port scanning and enumerating network infrastructure, gathering sensitive information from within the victim’s environment.
Sophisticated Delivery and Infrastructure Abuse
The campaign commonly began with spear-phishing emails — malicious messages designed to look legitimate but containing booby-trapped document attachments. In some cases, these attachments led victims to ClickOnce manifests that loaded both a legitimate Microsoft .NET executable and a hidden malicious loader via DLL sideloading, a technique that loads harmful code under the guise of trusted binaries.
SloppyLemming also made heavy use of Cloudflare Workers domains to support its operations. In the past year, Arctic Wolf found 112 such domains linked to the actor’s infrastructure, a dramatic increase from previously flagged clusters. These Workers sites help relay malicious C2 traffic and make attribution and takedown harder for defenders.
History and Broader Target Set
SloppyLemming isn’t new to the cybersecurity landscape. Researchers have been tracking the group since at least 2022, with earlier campaigns using malware families such as Ares RAT and WarHawk in attacks across South and East Asia, including Sri Lanka, China, and Nepal. The actor predominantly targets government and critical infrastructure sectors using spear-phishing, credential harvesting, and custom tools like Cloud Phish to create malicious cloud-hosted resources for exfiltration.
Security professionals characterize SloppyLemming as moderately capable — its tools are advanced, but some operational security missteps have made elements of its infrastructure visible to defenders. Nonetheless, the combination of dual malware payloads and abuse of legitimate cloud services highlights the growing sophistication of cyber espionage against regional government and infrastructure targets.
