A suspected India-aligned threat group known as SloppyLemming has been conducting a sustained espionage campaign against government agencies, defense organizations, nuclear oversight bodies, and critical infrastructure operators in Pakistan and Bangladesh.<\/p>\n
Active since 2021 and also tracked as Outrider Tiger and Fishing Elephant, the group deployed two newly documented tools between January 2025 and January 2026: a custom backdoor called BurrowShell and a Rust-based remote access trojan equipped with keylogging capability.\u200b<\/p>\n
The campaign ran two separate attack paths, both launched through spear-phishing<\/a>. The first used PDF lure documents with a blurred page and a fake \u201cDownload file\u201d button. <\/p>\n Clicking it redirected victims to a ClickOnce application manifest that silently dropped a multi-stage malware chain onto their device. <\/p>\n The second path used macro-enabled Excel spreadsheets that, once opened, quietly downloaded and executed malicious payloads from attacker-controlled servers.\u200b<\/p>\n Arctic Wolf analysts identified both attack chains<\/a> as part of a single coordinated operation. Each relied on DLL search order hijacking to run malicious code through trusted Microsoft processes.<\/p>\n By placing rogue DLLs next to legitimate, signed Microsoft binaries, the attackers executed their tools inside processes that security software typically treats as safe.\u200b<\/p>\n The supporting infrastructure behind this campaign was considerable. Arctic Wolf researchers traced 112 unique Cloudflare Workers domains registered between January 2025 and January 2026 \u2014 an eight-fold increase from 13 domains documented in prior reporting.<\/p>\n Each domain was named to impersonate real government entities, including the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank. Domain registrations peaked in July 2025, with 42 new domains added in a single month.\u200b<\/p>\n Targeted sectors in Pakistan included nuclear oversight, defense logistics, telecommunications, and government administration. In Bangladesh, the group focused on energy utilities, financial institutions, and media organizations. <\/p>\n This pattern aligns with intelligence-collection priorities tied to regional competition in South Asia, and the year-long campaign with expanding infrastructure signals organized, long-term intent.\u200b<\/p>\n BurrowShell is an in-memory shellcode implant delivered through the ClickOnce attack chain. <\/p>\n The infection begins when a malicious loader,\u00a0 If the check fails, the malware shuts down immediately to prevent execution inside analysis sandboxes.<\/p>\n If the location check passes, the loader writes a registry entry under\u00a0 It then reads an RC4-encrypted file called\u00a0 Once active, BurrowShell connects to its command-and-control server over port 443 and disguises its traffic as Windows Update communications. <\/p>\n After registering the infected host with system details, it enters a continuous loop of heartbeat check-ins while waiting for commands. The implant supports fifteen commands \u2014 file operations, screenshot capture, shell execution, and SOCKS proxy tunneling. <\/p>\n The Rust-based keylogger, deployed through the Excel macro path, extends these capabilities with keystroke recording, port scanning, and network enumeration.\u200b<\/p>\n Organizations in government, defense, and critical infrastructure should take specific defensive steps. <\/p>\n Email security tools<\/a> should block PDF files with embedded URLs pointing to Cloudflare Workers subdomains, and macro execution in externally received Office documents should be disabled. <\/p>\n Network teams should monitor connections to\u00a0 Endpoint rules should flag\u00a0 Regular security awareness<\/a> training is critical, as both attack paths depend on a victim taking a deliberate action \u2014 clicking a button or enabling macros.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post SloppyLemming Espionage Campaign Uses BurrowShell Backdoor and Rust RAT to Hit Pakistan and Bangladesh Targets<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"PDF](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjkbYFTVq8YBxH5SEr3y_GlkwmZvmSKQVteAw1tYqJaoDtFTmgJpKiNHEclm4C9hsEFNMn2XYLKrtSPx3LNfY-zTFv7mKp8fgVbOWEn80mt5MNc-3M9vlUu9vECre2mIqxwo73CqcnZI7RxF2D7S0KU2mjvdnO3_C0GUNGhcinpOhyIW2XTwU7e67e04wk\/s16000\/PDF%2520lure%2520displaying%2520blurred%2520document%2520with%2520social%2520engineering%2520message%2520%27PDF%2520reader%2520is%2520disabled%27%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\")
Inside the BurrowShell Infection Chain<\/strong><\/h2>\n
mscorsvc.dll<\/code>, is pulled in by a renamed Microsoft .NET binary \u2014\u00a0NGenTask.exe<\/code>, delivered as\u00a0OneDrive.exe<\/code>\u00a0\u2014 placed in the same folder. Before executing any payload, the loader checks whether the parent process is running from an approved directory. <\/p>\n![\"Execution](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhArdK9UHkA8gIdHp-ya9dBiseYfqzg5PNVC5iZQ_HELSLma0S4meoUMZi_TtY3W5dhsk7TfpkIJq1vZzhZzT7GgzX6oIurGiV5TMt05zHGUCiQNzwKGFTRqpQLtZD02-2R8nND8ObXQENGVLkm1csAdD3WGBiEPFVDa_L5dzUN-zj6JhW5UUy7NjDTCsE\/s16000\/Execution%2520chain%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\")
SoftwareMicrosoftWindowsCurrentVersionRun<\/code>\u00a0so that\u00a0OneDrive.exe<\/code>\u00a0launches on every reboot, keeping the infection persistent. <\/p>\nsystem32.dll<\/code>\u00a0and decrypts it using a hardcoded 32-character key, releasing BurrowShell into memory. Because the shellcode never lands on disk as a standalone file, file-scanning tools are far less likely to detect it.\u200b<\/p>\n*.workers.dev<\/code>\u00a0domains and enable SSL\/TLS inspection for encrypted traffic to suspicious destinations. <\/p>\nNGenTask.exe<\/code>\u00a0or\u00a0phoneactivate.exe<\/code>\u00a0loading DLLs from non-standard paths and alert on unexpected\u00a0CurrentVersionRun<\/code>\u00a0registry entries. <\/p>\n