Ethical Hacking News
SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
The threat actor SloppyLemming has been linked to a series of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh, using dual malware chains that include the BurrowShell backdoor and a Rust-based keylogger. This latest campaign marks an evolution in the threat actor's tooling, with the use of the Rust programming language representing a significant shift from traditional compiled languages.
SloppyLemming has been attributed to a series of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The attacks used two distinct attack chains, delivering malware families tracked as BurrowShell and a Rust-based keylogger. The use of the Rust programming language represents an evolution in SloppyLemming's approach, suggesting adaptability to new technologies. Attacks involved spear-phishing emails, PDF lures, macro-enabled Excel documents, and DLL side-loading for malware deployment. SloppyLemming maintains flexibility with dual payloads for varied target requirements. Increase in Cloudflare Workers domains suggests continued exploitation of this infrastructure. Targeting aligns with regional strategic competition in South Asia, suggesting espionage and critical infrastructure disruption capabilities.
In a recent development that highlights the evolving threat landscape, the threat actor known as SloppyLemming has been attributed to a series of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. According to Arctic Wolf, a cybersecurity company that analyzed the activity, the attacks took place between January 2025 and January 2026, and involved the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger.
The use of the Rust programming language in SloppyLemming's tooling represents a notable evolution in the threat actor's approach. Prior reporting had documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT. The deployment of Rust-based malware suggests that SloppyLemming is adapting to new technologies and techniques, making it a more formidable threat.
The attacks themselves were characterized by the use of spear-phishing emails to deliver PDF lures and macro-enabled Excel documents, which then deployed a legitimate Microsoft .NET runtime executable ("NGenTask.exe") and a malicious loader ("mscorsvc.dll"). The loader was launched using DLL side-loading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell. This backdoor provided the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling.
The second attack chain employed Excel documents containing malicious macros to drop the keylogger malware, while also incorporating features to conduct port scanning and network enumeration. The deployment of these dual payloads suggests that SloppyLemming maintains flexibility to deploy appropriate tools based on target value and operational requirements.
Further investigation by Arctic Wolf has uncovered 112 Cloudflare Workers domains registered during the one-year time period, marking an eight-fold jump from the 13 domains flagged by Cloudflare in September 2024. This increase in infrastructure activity is consistent with SloppyLemming's continued exploitation of Cloudflare Workers infrastructure, including government-themed typo-squatting patterns, deployment of the Havoc C2 framework, and victimology patterns.
The targeting of Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure, alongside Bangladeshi energy utilities and financial institutions, aligns with regional strategic competition in South Asia. The deployment of dual payloads – the in-memory shellcode BurrowShell for C2 and SOCKS proxy operations, and a Rust-based keylogger for information stealing – suggests that SloppyLemming is well-positioned to conduct espionage and disrupt critical infrastructure.
In conclusion, the latest campaign attributed to SloppyLemming highlights the evolving threat landscape and the increasing sophistication of threat actors. As governments and organizations continue to grapple with the challenges posed by this threat actor, it is essential to stay vigilant and take proactive measures to protect against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-Threat-Landscape-SloppyLemmings-Dual-Malware-Chain-Attacks-on-Pakistan-and-Bangladesh-ehn.shtml
https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html
https://cyberwebspider.com/the-hacker-news/sloppylemming-malware-targets-south-asia/
Published: Tue Mar 3 03:47:14 2026 by llama3.2 3B Q4_K_M
