A sophisticated cyber espionage campaign, attributed to a threat group known as SloppyLemming, has been actively targeting government agencies, defense organizations, critical infrastructure operators, and nuclear oversight bodies in Pakistan and Bangladesh. The group, also tracked under aliases like Outrider Tiger and Fishing Elephant, has been operational since 2021. Between January 2025 and January 2026, researchers observed the deployment of two novel tools: a custom backdoor named BurrowShell and a remote access trojan (RAT) built with the Rust programming language, incorporating keylogging capabilities.
The campaign employed two distinct attack vectors, both initiated through spear-phishing tactics. The first method utilized PDF lures that presented a blurred document alongside a deceptive “Download file” button. Upon interaction, victims were redirected to a ClickOnce application manifest, which silently installed a multi-stage malware chain onto their systems. The second approach involved macro-enabled Excel spreadsheets. When opened, these documents silently downloaded and executed malicious payloads sourced from attacker-controlled servers.
Inside the SloppyLemming Espionage Campaign and BurrowShell Backdoor
Analysts from Arctic Wolf, who investigated the campaign, identified both attack chains as part of a single, coordinated operation. A common TTP employed in both paths was DLL search order hijacking. This technique involved placing rogue Dynamic Link Libraries (DLLs) adjacent to legitimate, signed Microsoft binaries. This allowed the attackers to execute their malicious code within the context of trusted Microsoft processes, effectively bypassing standard security software detections.
The infrastructure supporting this sustained espionage campaign was extensive. Researchers traced 112 unique Cloudflare Workers domains registered between January 2025 and January 2026. This represents a significant expansion from the 13 domains documented in previous reporting. These domains were meticulously crafted to impersonate real government entities, including the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank. The registration of new domains peaked in July 2025, with 42 new domains added in a single month, indicating an accelerated pace of operations.
The targeted sectors in Pakistan included nuclear oversight, defense logistics, telecommunications, and government administration. In Bangladesh, the focus was on energy utilities, financial institutions, and media organizations. This strategic targeting aligns with intelligence-collection priorities associated with regional competition in South Asia, and the year-long campaign, coupled with the expanding infrastructure, suggests organized, long-term strategic intent by the SloppyLemming group.
The BurrowShell Infection Chain Detailed
BurrowShell functions as an in-memory shellcode implant, initially delivered through the ClickOnce attack chain. The infection process commences when a malicious loader, identified as mscorsvc.dll, is loaded by a renamed Microsoft .NET binary. This binary, typically NGenTask.exe, was masquerading as OneDrive.exe and placed in the same directory. Before any payload execution, the loader performs a crucial check to ascertain if the parent process is operating from an authorized directory. This defensive measure is designed to prevent execution within analysis sandboxes.
Should the location check be successful, the loader establishes persistence by writing a registry entry under SoftwareMicrosoftWindowsCurrentVersionRun. This ensures that OneDrive.exe is launched on every system reboot, maintaining the infection’s presence. Subsequently, the loader reads an RC4-encrypted file named system32.dll. Using a hardcoded 32-character key, it decrypts the file, releasing the BurrowShell implant into memory. Due to the shellcode never residing on disk as a standalone file, traditional file-scanning antivirus solutions are significantly less likely to detect it.
Once active, BurrowShell establishes communication with its command-and-control (C2) server, typically utilizing port 443. The group disguises this traffic to appear as legitimate Windows Update communications. After registering the compromised host with system details, the implant enters a continuous loop of heartbeat check-ins, awaiting further commands. The BurrowShell implant supports a range of fifteen distinct commands, including file operations, screenshot capture, arbitrary shell command execution, and SOCKS proxy tunneling. The Rust-based keylogger, deployed via the Excel macro attack path, complements these capabilities by recording keystrokes, conducting port scanning, and performing network enumeration.
Organizations operating within the government, defense, and critical infrastructure sectors are urged to implement specific defensive measures. Email security tools should be configured to block PDF files containing embedded URLs that point to Cloudflare Workers subdomains. Furthermore, macro execution in externally received Office documents should be disabled. Network teams are advised to monitor connections to *.workers.dev domains and enable SSL/TLS inspection for encrypted traffic directed towards suspicious destinations. Endpoint detection rules should flag instances of NGenTask.exe or phoneactivate.exe loading DLLs from non-standard paths and alert on the presence of unexpected CurrentVersionRun registry entries.
Regular security awareness training remains a critical component of an effective defense strategy, as both observed attack paths rely on a conscious action from the victim – either clicking a deceptive button or enabling macros. The ongoing nature of this campaign and the sophistication of the tools employed suggest that SloppyLemming will likely continue to evolve its tactics, techniques, and procedures (TTPs) in pursuit of its espionage objectives. Organizations in the targeted regions should remain vigilant and proactively update their security postures.