An espionage campaign running from January 2025 targeted government agencies and critical infrastructure in Pakistan, Bangladesh and Sri Lanka, using social-engineered emails and 112 Cloudflare domains to stage malicious documents. Arctic Wolf attributed the year-long operation to an India-nexus actor dubbed SloppyLemming, which deployed the BurrowShell backdoor and Excel-based keyloggers to capture screenshots, harvest credentials and perform reconnaissance against entities like the Pakistan Nuclear Regulatory Authority and major telecom and energy providers. #SloppyLemming #BurrowShell
Keypoints
- Arctic Wolf links a year-long espionage campaign to an India-nexus threat actor named SloppyLemming.
- Attackers delivered BurrowShell via malicious PDFs and used Excel-based implants with keylogging and reconnaissance features.
- The campaign abused 112 Cloudflare domains using Pakistani and Bangladeshi government-themed names to lure victims.
- Targets included Pakistan Nuclear Regulatory Authority, Pakistan Navy, DESCON, Power Grid Company of Bangladesh, telecoms and financial institutions.
- Researchers observed moderate technical skill but operational security lapses, such as exposed open directories and inconsistent tradecraft.
Read More: https://therecord.media/india-pakistan-cyber-campaign-apt