Government agencies in Bangladesh and Government agencies in Pakistan: SloppyLemming Cyber Attacks Hit Government and Infrastructure in Pakistan, Bangladesh

SloppyLemming Cyber Espionage Campaign Targets South Asian Governments and Critical Infrastructure

A recent report by cybersecurity firm Arctic Wolf has linked the threat group SloppyLemming (also tracked as Outrider Tiger and Fishing Elephant) to a large-scale malware campaign targeting government agencies and critical infrastructure operators in Pakistan and Bangladesh between January 2025 and January 2026. The operation employed dual malware chains to conduct espionage and data theft, marking a significant evolution in the group’s tactics.

Attack Methods and Malware Payloads

SloppyLemming deployed two distinct infection vectors:

1. BurrowShell Backdoor – Delivered via spear-phishing emails with malicious PDF attachments, this payload granted attackers full remote access, enabling file system control, screenshot capture, command execution, and network tunneling via a SOCKS proxy. Malicious traffic was disguised as legitimate Windows Update communications, using RC4 encryption to evade detection.

2. Rust-Based Keylogger – Embedded in macro-enabled Excel documents, this chain dropped a Rust-written keylogger alongside reconnaissance tools capable of port scanning and network enumeration, allowing attackers to gather sensitive data from compromised environments.

Sophisticated Delivery and Infrastructure

The campaign leveraged spear-phishing emails with booby-trapped attachments, including ClickOnce manifests that executed DLL sideloading loading malicious code under the guise of trusted Microsoft .NET binaries. Additionally, SloppyLemming abused Cloudflare Workers domains (112 identified in the past year) to relay command-and-control (C2) traffic, complicating attribution and takedown efforts.

Broader Threat Landscape

Active since at least 2022, SloppyLemming has a history of targeting government, law enforcement, energy, and telecommunications sectors across South and East Asia, including Sri Lanka, China, and Nepal. While the group is considered moderately capable, its use of custom malware (Ares RAT, WarHawk, Cloud Phish) and cloud-based exfiltration underscores the growing sophistication of cyber espionage in the region. Despite some operational security missteps, the dual-payload approach and abuse of legitimate cloud services highlight the persistent threat to regional governments and critical infrastructure.

Source: https://www.cxodigitalpulse.com/sloppylemming-cyber-attacks-hit-government-and-infrastructure-in-pakistan-bangladesh/

Government of Pakistan cybersecurity rating report: https://www.rankiteo.com/company/government-of-pakistan

"id": "GOV1772534265",
"linkid": "government-of-pakistan",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'industry': 'Government',
                        'location': ['Pakistan', 'Bangladesh'],
                        'type': 'Government Agency'},
                       {'industry': ['Energy', 'Telecommunications'],
                        'location': ['Pakistan', 'Bangladesh'],
                        'type': 'Critical Infrastructure Operator'}],
 'attack_vector': ['Spear-phishing emails',
                   'Malicious PDF attachments',
                   'Macro-enabled Excel documents',
                   'ClickOnce manifests',
                   'DLL sideloading'],
 'data_breach': {'data_encryption': 'RC4 encryption for C2 traffic',
                 'data_exfiltration': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Sensitive government data',
                                              'Critical infrastructure data']},
 'date_detected': '2025-01',
 'description': 'A recent report by cybersecurity firm Arctic Wolf has linked '
                'the threat group SloppyLemming (also tracked as Outrider '
                'Tiger and Fishing Elephant) to a large-scale malware campaign '
                'targeting government agencies and critical infrastructure '
                'operators in Pakistan and Bangladesh between January 2025 and '
                'January 2026. The operation employed dual malware chains to '
                'conduct espionage and data theft, marking a significant '
                'evolution in the group’s tactics.',
 'impact': {'data_compromised': 'Sensitive government and critical '
                                'infrastructure data',
            'operational_impact': 'Network tunneling, remote access, data '
                                  'exfiltration',
            'systems_affected': ['Government agencies',
                                 'Critical infrastructure operators']},
 'initial_access_broker': {'backdoors_established': ['BurrowShell Backdoor',
                                                     'Rust-Based Keylogger'],
                           'entry_point': ['Spear-phishing emails',
                                           'Malicious attachments'],
                           'high_value_targets': ['Government agencies',
                                                  'Critical infrastructure']},
 'motivation': 'Espionage, Data Theft',
 'post_incident_analysis': {'root_causes': ['Spear-phishing',
                                            'Abuse of legitimate cloud '
                                            'services (Cloudflare Workers)',
                                            'DLL sideloading']},
 'references': [{'source': 'Arctic Wolf Report'}],
 'response': {'third_party_assistance': 'Arctic Wolf'},
 'threat_actor': 'SloppyLemming (Outrider Tiger / Fishing Elephant)',
 'title': 'SloppyLemming Cyber Espionage Campaign Targets South Asian '
          'Governments and Critical Infrastructure',
 'type': 'Cyber Espionage'}