SloppyLemming Targets Pakistan and Bangladesh Government and Critical Infrastructure With Dual Malware Chains and 112 Cloudflare Workers Domains

The South Asian threat actor SloppyLemming (also tracked as Outrider Tiger and Fishing Elephant) has been attributed to a sustained campaign targeting government entities and critical infrastructure operators in Pakistan and Bangladesh spanning January 2025 through January 2026, according to new research from Arctic Wolf.

The campaign deploys two distinct attack chains delivering BurrowShell, a full-featured C2 backdoor, and a Rust-based keylogger — marking a notable evolution in the group's tooling, which previously relied on traditional compiled languages and borrowed frameworks like Cobalt Strike, Havoc, and the custom NekroWire RAT.

Strategic Targeting

The victimology aligns with intelligence collection priorities consistent with regional strategic competition in South Asia:

Pakistan: Nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure

Bangladesh: Energy utilities and financial institutions

SloppyLemming has been active since at least 2022, targeting government, law enforcement, energy, telecommunications, and technology entities across Pakistan, Sri Lanka, Bangladesh, and China. Prior campaigns leveraged malware families like Ares RAT and WarHawk, which are commonly associated with the SideCopy and SideWinder threat groups respectively.

Attack Chain 1: BurrowShell via ClickOnce

The first chain uses spear-phishing emails delivering PDF lure documents containing URLs that lead victims to ClickOnce application manifests:

1. ClickOnce deployment delivers a legitimate Microsoft .NET runtime executable (NGenTask.exe) alongside a malicious loader (mscorsvc.dll)
2. DLL sideloading launches the loader, which decrypts and executes a custom x64 shellcode implant
3. BurrowShell deploys in memory with full backdoor capabilities

BurrowShell provides:

• File system manipulation
• Screenshot capture
• Remote shell execution
• SOCKS proxy for network tunneling
• C2 traffic disguised as Windows Update service communications
• RC4 encryption with a 32-character key for payload protection

Attack Chain 2: Rust-Based Keylogger via Excel Macros

The second chain uses macro-enabled Excel documents to deliver a Rust-based keylogger — a significant tooling upgrade that suggests the group is investing in more modern, harder-to-analyze languages. The keylogger also incorporates port scanning and network enumeration capabilities beyond basic keystroke capture.

The dual payload approach gives the operator flexibility to deploy the appropriate tool based on target value — BurrowShell for high-value persistent access with C2 and tunneling, and the keylogger for lighter-touch credential harvesting and network reconnaissance.

Massive Infrastructure Expansion

Arctic Wolf identified 112 Cloudflare Workers domains registered during the campaign period — an eight-fold increase from the 13 domains flagged by Cloudflare in September 2024. The domains follow government-themed typosquatting patterns consistent with SloppyLemming's established infrastructure tradecraft.

Attribution Basis

The campaign links to SloppyLemming are based on:

• Continued exploitation of Cloudflare Workers infrastructure with government-themed typosquatting
• Deployment of the Havoc C2 framework
• DLL sideloading techniques
• Victimology patterns matching previous campaigns
• Overlap with SideWinder ClickOnce techniques documented by Trellix in October 2025

Defender Recommendations

• Block ClickOnce deployments from external sources — restrict .application manifest execution to trusted internal sources
• Detect DLL sideloading — alert on NGenTask.exe loading unsigned mscorsvc.dll
• Monitor for Windows Update impersonation — flag C2 traffic masquerading as Windows Update communications from non-Microsoft endpoints
• Disable Office macros — enforce policies blocking macro-enabled documents from external senders
• Hunt for Cloudflare Workers abuse — flag connections to recently registered Cloudflare Workers domains with government-themed naming patterns
• Monitor for Rust-based executables — unusual Rust binaries on government or infrastructure networks warrant investigation
• SOCKS proxy detection — look for unexpected tunneling activity from endpoints that shouldn't be proxying traffic