InfoSecBulletin Cybersecurity for mankind
An India-nexus threat actor operated an extensive cyber espionage campaign deploying BurrowShell and Rust-Based RAT, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. Arctic Wolf has been tacking the campaign conducted by “SloppyLemming” over the last 12 month.
Arctic Wolf said, the campaign impersonated Pakistani and Bangladeshi government agencies and organizations such as Dhaka Electric Supply Company, Power Grid Company of Bangladesh, Bangladesh Bank, Pakistan Nuclear Regulatory Authority and so on.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
From January 2025 to January 2026, Arctic Wolf monitored a significant cyber espionage campaign believed to be carried out by SloppyLemming (also known as Outrider Tiger and Fishing Elephant), a group linked to India, targeting government and critical infrastructure in Pakistan and Bangladesh.
The campaign used two separate attack strategies. The first involved sending PDF documents that led victims to ClickOnce application manifests, which installed a DLL sideloading package containing a legitimate Microsoft .NET runtime (NGenTask.exe) and a harmful loader (mscorsvc.dll). This loader then decrypted and executed a custom x64 implant called BurrowShell, identified by Arctic Wolf.
BurrowShell is a comprehensive backdoor that allows attackers to manipulate files, capture screenshots, execute remote shells, and create SOCKS proxies for network tunneling. It disguises its command-and-control traffic as Windows Update communications and uses RC4 encryption with a 32-character key for security.
A secondary attack uses macro-enabled Excel files to deliver a Rust keylogger that can scan ports and enumerate networks. This marks a significant upgrade in SloppyLemming’s tools, which previously relied on traditional languages and simulation frameworks like Cobalt Strike, Havoc, and the bespoke NekroWire RAT.
Arctic Wolf reported that 112 Cloudflare Workers domains were registered from January 2025 to January 2026, up from 13 documented in September 2024. Three of these domains had open directory misconfigurations that exposed malware, including Havoc framework loaders with unique RC4 encryption keys. The highest number of registrations happened in July 2025, with 42 new domains, indicating increased activity.
Arctic Wolf believes with moderate confidence that this activity is linked to SloppyLemming. This is based on the use of Cloudflare Workers for government-related typo-squatting, deployment of the Havoc C2 framework associated with this actor, DLL sideloading techniques that match known methods, and a focus on South Asian government and infrastructure targets.
The campaign targeted Pakistani nuclear regulators, defense logistics, and telecommunications, as well as Bangladeshi energy and financial sectors, reflecting intelligence priorities in South Asia. For technical details click here.
