Cybersecurity researchers have revealed a sustained espionage campaign conducted by the threat actor known as SloppyLemming, which has been active against government entities and critical infrastructure in Pakistan and Bangladesh over the past year. The campaign, tracked between January 2025 and January 2026, employed two distinct malware delivery paths that leveraged social engineering and sophisticated malicious tooling to infiltrate targeted networks and systems.
According to the report, SloppyLemming — also tracked under aliases such as Outrider Tiger and Fishing Elephant — initiated its operations through carefully crafted spear‑phishing messages that carried either malicious PDF documents or macro‑enabled Excel spreadsheets. In one infection chain, victims receiving the PDF lure were presented with a blurred document and a deceptive prompt to click a fake “Download file” button. This redirect led to a ClickOnce application manifest which then silently deployed a multi‑stage malware sequence. The sequence utilized DLL search order hijacking to execute a legitimate Microsoft runtime executable alongside a malicious loader, ultimately delivering a custom backdoor the researchers have named “BurrowShell.”
BurrowShell is described as a full‑featured remote access backdoor capable of manipulating the file system, capturing screenshots, executing remote shell commands, and even establishing SOCKS proxy tunnels for network traffic. It disguises its command‑and‑control activity to resemble Windows Update traffic and employs robust encryption to safeguard its communications. This deceptive design enables the threat actor to maintain persistent access to compromised systems while minimizing detection risk.
The second attack path documented in the campaign relied on macro‑enabled Excel files disguised as legitimate spreadsheets. Once opened, these documents fetched and executed a Rust‑based remote access trojan (RAT) that included keylogging capabilities and extended reconnaissance functions, such as port scanning and network enumeration. The use of the Rust programming language for malware development represents a notable shift in SloppyLemming’s toolkit, reflecting an evolution beyond the more traditional compiled languages and third‑party frameworks like Cobalt Strike that the group has previously been associated with.
Investigators also noted the extensive infrastructure supporting this campaign, including a dramatic increase in Cloudflare Workers domains registered by the group over the same period. These domains functioned as intermediaries for hosting staged malware and facilitating command‑and‑control communications, complicating defensive efforts to identify and disrupt malicious activity.
Compounding the challenge for defenders, both delivery methods exploited trusted processes and abuse of legitimate system mechanisms, such as DLL side‑loading and ClickOnce manifests, to evade detection. This reflects a broader trend among advanced persistent threat actors to blend legitimate functionality with malicious payloads, thereby increasing the difficulty of early threat identification and mitigation.
While the campaign’s full impact on the targeted regions is still being assessed, the documented activity underscores the importance for organizations, particularly within government and critical infrastructure sectors, to maintain robust phishing defenses, implement layered security controls, and pursue active threat intelligence sharing. Enhanced monitoring for anomalous network behavior, combined with vigilant endpoint protection, remains crucial in countering the sophisticated techniques observed in this campaign.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
