Severity
High
Analysis Summary
Cybersecurity researchers at have detailed a year-long cyber espionage campaign attributed to the India-nexus threat actor SloppyLemming, also tracked as Outrider Tiger and Fishing Elephant. Active between January 2025 and January 2026, the campaign targeted high-value government and critical infrastructure entities in Pakistan and Bangladesh, demonstrating a notable expansion in operational maturity, infrastructure scale, and custom tooling.
The group, active since at least 2022, has historically targeted government, law enforcement, energy, telecommunications, and technology sectors across South Asia. Previous activity leveraged frameworks such as Cobalt Strike and Havoc. In this latest campaign, investigators identified 112 domains abusing Cloudflare Workers infrastructure, an eight-fold increase compared to prior observations, indicating a deliberate effort to blend malicious traffic with legitimate cloud services.
The attackers used two primary infection chains. The first relied on spear-phishing emails delivering PDF lures that redirected victims to ClickOnce application manifests. This method deployed a legitimate Microsoft .NET binary (“NGenTask.exe”) alongside a malicious loader (“mscorsvc.dll”) through DLL side-loading to decrypt and execute a custom x64 shellcode implant named BurrowShell. The second chain used macro-enabled Excel documents to deploy a Rust-based keylogger, reflecting an evolution in tooling and language adoption.
BurrowShell functions as a full-featured backdoor, enabling filesystem manipulation, screenshot capture, remote shell execution, and SOCKS proxy-based tunneling. Its design incorporates dynamic API resolution, RC4 encryption, and command-and-control traffic masquerading as Windows Update communications to evade detection. The Rust-based keylogger further supports credential harvesting, port scanning, and network enumeration.
Notably, this activity builds upon earlier reporting. In 2024, Rewterz Threat Intelligence published a threat advisory, which documented similar abuse of Cloudflare infrastructure targeting Pakistani entities. The latest findings reinforce continuity in tradecraft and infrastructure patterns, linking current operations to previously observed campaigns and highlighting the persistent regional intelligence-collection focus of the threat actor.
Impact
- Sensitive Information Theft
- Cyber Espionage
- Credential Theft
- Data Exfiltration
Indicators of Compromise
Domain Name
- webmail-pnra.gov-pk.workers.dev
- www.gov-pk.workers.dev
- info.sco-gov-pk.workers.dev
- file-super-net-pk.workers.dev
- ftp.desco-gov-bd.workers.dev
- api.desco-gov-bd.workers.dev
- support.paknavy-gov-pk-fd9.workers.dev
- xen.pgcb-gov-bd.workers.dev
- vrms.bangladeshbaank-gov-bd.workers.dev
- cms.ndu-edu-gov.workers.dev
- ntsoc.pta-gov-pk.workers.dev
- uploads.ptcl-gov-pk.workers.dev
- info.bangladesh-islamic-baank.workers.dev
- pitb.gov-pkgov.workers.dev
- sco.zapto.org
- mofapak.info
- confidential.zapto.org
- humariweb.info
- modp-pk.org
- itsupport-gov.com
- hit-pk.org
- openkm.paknavy-pk.org
- quran-books.store
- mail.pakistangov.com
- oil.hascolgov.info
- hesco.hascolgov.info
- locall.hascolgov.info
MD5
- ac0623ac3349356060f8f37838ec332b
- 753bb1b5d8b879f478babb21ed4d9696
- 76195b41d2e0c8008c23e77363a7455a
- f310ee836f88cc43d3939f8a88b20495
- 9a95078a7a5f1045c61fe95ab308ec3f
- 7bec405eafc16a6f65d9a0bf7d30cec2
SHA-256
- 8faeea306a331d86ce1acb92c8028b4322efbd11a971379ba81a6b769ff5ac4b
- 1946315d645d9a8c5114759b350ec4f85dba5f9ee4a63d74437d7a068bff7752
- 81d1a62c00724c1dfbc05a79ac4ae921c459350a2a4a93366c0842fadc40b011
- 4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754
- 67c341e187ddfcd5a4a7df8743ae82e72db1e5c3747d5c4e185d99f54182f093
- 3269829b50da5b3c4120a103ef72b09a8bbbf258ab3086ca24b2aa24dc00039b
SHA1
- 8a3b2c21808d5936e5583bb9a8a0191dfbeccbf9
- 87fbf997ab96dd4129e008119a3853de2127fbfb
- d4141e449a59298d073cdad32d8120979541a610
- c5171b00bfe40113f4e99cab21e71f955c397d7e
- fd3b37622ed4187c869c8427391c4f265a9ae1be
- 9b1e51e383d086d0ccc2a9366eae80cbcff0c2a5
Remediation
- Block all identified threat indicators across firewalls, EDR, email gateways, web proxies, and other security controls.
- Proactively search for published IOCs within the environment using SIEM, EDR, and threat hunting capabilities.
- Deploy advanced email security filtering to detect and prevent spear-phishing attacks delivering malicious PDFs or macro-enabled documents.
- Disable or strictly restrict Microsoft Office macros from untrusted sources to mitigate document-based infection chains.
- Monitor and restrict ClickOnce application execution to prevent abuse in malware delivery.
- Enable detection rules for DLL side-loading and abnormal parent-child process relationships.
- Inspect outbound network traffic for suspicious connections leveraging cloud infrastructure such as Cloudflare Workers.
- Enforce multi-factor authentication (MFA) to reduce the impact of credential theft.
- Monitor for unauthorized SOCKS proxy usage and unusual network tunneling behavior.
- Apply application allowlisting to prevent execution of unapproved loaders and implants.
- Ensure operating systems, applications, and third-party software are regularly patched and updated.
- Enable and maintain updated antivirus and anti-malware solutions with multi-layered endpoint protection.
- Implement network segmentation to restrict lateral movement across critical infrastructure environments.
- Conduct continuous monitoring of network traffic and endpoint telemetry to detect anomalies early.
- Centralize logs within a SIEM platform to correlate multi-stage attack activity and generate timely alerts.
- Develop, maintain, and regularly test an incident response plan for rapid containment and remediation.
- Perform regular security awareness training to reduce phishing-related compromise risks.
- Harden systems, networks, and application code, including secure development practices and vulnerability testing of deployed software.
- Regularly back up critical data and store backups securely to ensure business continuity in case of compromise.