Pakistan and Bangladesh Governments Hit by Sophisticated Malware Attack: SloppyLemming Threat Actor

Post Views: 7

SloppyLemming Targets Government Entities in Pakistan and Bangladesh with Dual Malware Chains

A recent campaign attributed to the SloppyLemming threat actor has targeted government entities and critical infrastructure operators in Pakistan and Bangladesh. The attacks, which occurred between January 2025 and January 2026, involved the use of two distinct malware chains to deliver the BurrowShell and a Rust-based keylogger malware families.

About SloppyLemming

SloppyLemming, also known as Outrider Tiger and Fishing Elephant, is a threat actor that has been active since at least 2022, targeting government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China. Previous campaigns have leveraged malware families such as Ares RAT and WarHawk, which are often attributed to SideCopy and SideWinder, respectively.

Attack Vectors

The latest attacks began with spear-phishing emails containing PDF lures and macro-enabled Excel documents. The PDF decoys led victims to ClickOnce application manifests, which deployed a legitimate Microsoft.NET runtime executable and a malicious loader. The loader was launched using DLL side-loading to decrypt and execute a custom x64 shellcode implant, codenamed BurrowShell.

Malware Capabilities

BurrowShell is a full-featured backdoor that provides the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling. The implant masquerades its command-and-control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection.

Second Attack Chain

The second attack chain employed Excel documents containing malicious macros to drop the keylogger malware, which also conducted port scanning and network enumeration. Further investigation of the threat actor’s infrastructure identified 112 Cloudflare Workers domains, which were used to host government-themed typo-squatting patterns.

Campaign Analysis

The campaign’s links to SloppyLemming were based on continued exploitation of Cloudflare Workers infrastructure, deployment of the Havoc C2 framework, DLL side-loading techniques, and victimology patterns. The targeting of Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure, alongside Bangladeshi energy utilities and financial institutions, aligns with intelligence collection priorities consistent with regional strategic competition in South Asia.

The deployment of dual payloads – the in-memory shellcode BurrowShell for C2 and SOCKS proxy operations, and a Rust-based keylogger for information stealing – suggests that the threat actor maintains flexibility to deploy appropriate tools based on target value and operational requirements.

Note that