Arctic Wolf documents a year-long, highly targeted espionage campaign by the India-nexus threat actor Sloppy Lemming against government and critical infrastructure in Pakistan and Bangladesh, revealing a significant expansion in the group’s capabilities and operational reach. The report highlights deployment of a custom x64 implant, BurrowShell, sophisticated delivery chains, and resilient infrastructure designed for persistence and evasion. #SloppyLemming #BurrowShell
Keypoints
- Arctic Wolf attributes a year-long espionage campaign to Sloppy Lemming targeting high-value government and critical infrastructure in Pakistan and Bangladesh.
- The operation used 112 unique domains and advanced custom tooling, showing a marked expansion in capability and commitment.
- Attackers delivered payloads via a PDF→ClickOnce→DLL sideload chain and a macro-enabled Excel chain that deployed a Rust-based keylogger.
- The BurrowShell x64 implant enables filesystem control, remote shell execution, screenshot capture, SOCKS proxying, and is engineered for evasion and persistence.
- Infrastructure resiliency included Cloudflare Workers and traffic masquerading as Windows Update, prompting urgent defensive measures for nuclear, defense, energy, and telecom sectors.