Arctic Wolf attributes a year-long SloppyLemming campaign (Jan 2025–Jan 2026) against government and critical infrastructure in Pakistan and Bangladesh that used two attack chains to deploy BurrowShell and a Rust-based keylogger. The intrusions relied on spear-phishing with PDF and macro-enabled Excel lures, ClickOnce and DLL side-loading to run NGenTask.exe/mscorsvc.dll and disguise C2 traffic as Windows Update. #SloppyLemming #BurrowShell
Keypoints
- SloppyLemming targeted government, energy, telecommunications, and financial entities in Pakistan and Bangladesh between Jan 2025 and Jan 2026.
- Two distinct attack chains delivered an in-memory backdoor called BurrowShell and a Rust-based keylogger for information theft.
- Spear-phishing used PDF decoys and macro-enabled Excel documents to lead victims to ClickOnce manifests and execute malicious loaders via DLL side-loading.
- BurrowShell offers file-system access, screenshots, remote shells, and SOCKS proxying while masquerading C2 as Windows Update and using RC4 encryption.
- The actor abused over 112 Cloudflare Workers domains and reused Havoc C2, DLL side-loading, and typo-squatted government-themed infrastructure consistent with prior campaigns.
Read More: https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html