Under the Radar: How the SloppyLemming Syndicate Infiltrated South Asia’s Nuclear and Energy Sectors

Over the past year, South Asia has witnessed a marked proliferation of cyberespionage offensives targeting state apparatuses and critical infrastructure operators. The vanguard at Arctic Wolf has chronicled a sophisticated campaign, attributing it with moderate confidence to the threat syndicate SloppyLemming, alternatively recognized by the monikers Outrider Tiger and Fishing Elephant. The crosshairs of this operation were fixed upon institutions within Pakistan and Bangladesh. According to the analysts’ calculus, the incursion persisted from at least January 2025 through January 2026, characterized by a relentless expansion of both its operational infrastructure and its malicious arsenal.

The assailants orchestrated two distinct contagion chains throughout the campaign. The inaugural vector commenced with phishing epistles harboring a deceptive PDF decoy. This document cunningly enticed the recipient to traverse a hyperlink, which subsequently routed them to a ClickOnce manifest. Subsequently, a suite of files engineered for DLL sideloading was downloaded onto the host device: a legitimate Microsoft .NET Framework executable (NGenTask.exe), deceptively masquerading as OneDrive.exe, accompanied by the venomous mscorsvc.dll library. The loader meticulously decrypted an obfuscated data block utilizing an RC4 cryptographic key, thereby executing the x64 BurrowShell implant directly within the system’s memory.

BurrowShell functioned as an exquisitely comprehensive backdoor platform. This insidious implant facilitated unfettered file manipulation, clandestine screen captures, the remote execution of arbitrary commands, and the covert tunneling of network traffic via a SOCKS proxy. Communications with the command-and-control infrastructure were masterfully camouflaged to mimic benign Windows Update service solicitations, whilst the malicious payload was rigorously fortified by symmetric encryption.

The secondary vector weaponized macro-laden Excel spreadsheets. Upon activation, the macro stealthily downloaded constituent components into the ProgramData directory. It then invoked a legitimate phoneactivate.exe binary—fraudulently rechristened as audiodg.exe—which seamlessly side-loaded the adjacent, malignant DLL. The paramount payload materialized as a formidable Remote Access Trojan (RAT), forged in the Rust programming language and equipped with an innate keylogger. Beyond the mere interception of keystrokes, this module executed exhaustive network reconnaissance—encompassing port scanning and host discovery—while concurrently empowering the adversary to manipulate files and surreptitiously spawn processes.

Arctic Wolf directed profound scrutiny toward the adversaries’ digital architecture. Throughout the observational epoch, analysts unearthed 112 disparate domains hosted upon Cloudflare Workers, all meticulously engineered to masquerade as legitimate governmental and industrial entities within Pakistan and Bangladesh. Domain registrations crescendoed in July 2025, yielding a staggering 42 nascent digital properties. Fortuitously, three of these nodes were inadvertently configured as open directories, inadvertently laying bare a cache of preconfigured malicious components, notably encompassing loaders for the Havoc post-exploitation framework armed with diverse RC4 cryptographic keys.

The report asserts that this precise curation of targets impeccably aligns with the orthodox paradigms of cyberespionage. Within Pakistan, the assailants exhibited a pronounced fascination with apparatuses tethered to national defense, telecommunications, and nuclear regulation; conversely, their endeavors in Bangladesh were laser-focused upon the energy and financial sectors. The analysts also deliberated upon potential tactical overlaps with the infamous SideWinder syndicate, yet ultimately underscored definitive divergences concerning their respective arsenals and fundamental infrastructural hallmarks.