The SloppyLemming threat actor, linked to India, executed a sophisticated cyber espionage campaign from January 2025 to January 2026 targeting Pakistan and Bangladesh. The attackers employed social engineering via PDF documents with ClickOnce execution chains and macro-enabled Excel files to gain initial access. Upon execution, they deployed BurrowShell, a custom 64-bit shellcode implant designed for stealth and persistence, alongside a Rust-based Remote Access Trojan (RAT) functioning as a keylogger. The campaign heavily abused Cloudflare Workers, a serverless platform, to host command and control infrastructure and deliver payloads, complicating detection and takedown efforts. Over 112 domains were registered, mimicking government entities to increase lure credibility. The campaign targeted critical sectors such as nuclear facilities, defense organizations, telecommunications providers, energy companies, and financial institutions, aligning with regional strategic competition. Techniques observed include DLL sideloading for code execution, credential dumping, use of living-off-the-land binaries, and evasion tactics to avoid detection. Despite the advanced tooling and infrastructure, exploitation required user interaction through opening malicious documents. No public exploits or patches are associated with this campaign, indicating a custom, targeted operation rather than widespread automated exploitation.

This campaign poses a significant threat to the confidentiality and integrity of sensitive government and critical infrastructure data in Pakistan and Bangladesh. Successful compromise could lead to theft of classified information, disruption of critical services, and undermining of national security. The use of advanced malware and stealthy C2 infrastructure increases the difficulty of detection and response, potentially allowing prolonged espionage activity. The targeting of nuclear, defense, and telecommunications sectors could have cascading effects on regional stability and security. Financial sector intrusions may result in economic espionage or fraud. Organizations affected may face operational disruptions, reputational damage, and increased costs for incident response and remediation. The geopolitical context suggests potential escalation of cyber conflicts in South Asia, with broader implications for regional cybersecurity postures.

Organizations in the targeted sectors should implement strict email and document handling policies, including disabling macros by default and blocking ClickOnce execution where possible. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying shellcode injection and unusual Rust-based process behaviors. Monitor and restrict the use of Cloudflare Workers and other serverless platforms for C2 traffic, employing network anomaly detection and DNS filtering to block suspicious domains, especially those impersonating government entities. Conduct regular threat hunting focused on DLL sideloading and living-off-the-land binaries. Enhance user awareness training to recognize spear-phishing attempts involving PDFs and Excel files. Employ multi-factor authentication and credential hygiene to limit credential dumping impact. Maintain up-to-date threat intelligence feeds to detect indicators of compromise related to SloppyLemming. Incident response teams should prepare for stealthy, persistent intrusions and establish rapid containment protocols. Collaboration with regional CERTs and international partners is advised to share intelligence and coordinate defenses.