Tuesday , July 14 2026
SloppyLemming

BurrowShell Backdoor Found
India linked “SloppyLemming” target Bangladesh & Pakistan Critical Systems

An India-nexus threat actor operated an extensive cyber espionage campaign deploying BurrowShell and Rust-Based RAT, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. Arctic Wolf has been tacking the campaign conducted by “SloppyLemming” over the last 12 month.

Source: Arctic Wolf

Arctic Wolf said, the campaign impersonated Pakistani and Bangladeshi government agencies and organizations such as Dhaka Electric Supply Company, Power Grid Company of Bangladesh, Bangladesh Bank, Pakistan Nuclear Regulatory Authority and so on.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

From January 2025 to January 2026, Arctic Wolf monitored a significant cyber espionage campaign believed to be carried out by SloppyLemming (also known as Outrider Tiger and Fishing Elephant), a group linked to India, targeting government and critical infrastructure in Pakistan and Bangladesh.

The campaign used two separate attack strategies. The first involved sending PDF documents that led victims to ClickOnce application manifests, which installed a DLL sideloading package containing a legitimate Microsoft .NET runtime (NGenTask.exe) and a harmful loader (mscorsvc.dll). This loader then decrypted and executed a custom x64 implant called BurrowShell, identified by Arctic Wolf.

BurrowShell is a comprehensive backdoor that allows attackers to manipulate files, capture screenshots, execute remote shells, and create SOCKS proxies for network tunneling. It disguises its command-and-control traffic as Windows Update communications and uses RC4 encryption with a 32-character key for security.

Figure 13: Execution chain diagram showing complete attack flow from PDF lure to C2 communication.

A secondary attack uses macro-enabled Excel files to deliver a Rust keylogger that can scan ports and enumerate networks. This marks a significant upgrade in SloppyLemming’s tools, which previously relied on traditional languages and simulation frameworks like Cobalt Strike, Havoc, and the bespoke NekroWire RAT.

Arctic Wolf reported that 112 Cloudflare Workers domains were registered from January 2025 to January 2026, up from 13 documented in September 2024. Three of these domains had open directory misconfigurations that exposed malware, including Havoc framework loaders with unique RC4 encryption keys. The highest number of registrations happened in July 2025, with 42 new domains, indicating increased activity.

Arctic Wolf believes with moderate confidence that this activity is linked to SloppyLemming. This is based on the use of Cloudflare Workers for government-related typo-squatting, deployment of the Havoc C2 framework associated with this actor, DLL sideloading techniques that match known methods, and a focus on South Asian government and infrastructure targets.

The campaign targeted Pakistani nuclear regulators, defense logistics, and telecommunications, as well as Bangladeshi energy and financial sectors, reflecting intelligence priorities in South Asia. For technical details click here.

AI-Powered “iCyberHunt” explores Bangladeshi market

Check Also

Bajaj Auto

Bajaj Auto System Hit by a Ransomware Attack

Bajaj Auto said on Tuesday that a ransomware attack impacted its systems and its subsidiary, …