SloppyLemming Espionage Campaign Uses BurrowShell Backdoor and Rust RAT to Hit Pakistan and Bangladesh Targets

A suspected India-aligned threat group known as SloppyLemming has been conducting a sustained espionage campaign against government agencies, defense organizations, nuclear oversight bodies, and critical infrastructure operators in Pakistan and Bangladesh.

Active since 2021 and also tracked as Outrider Tiger and Fishing Elephant, the group deployed two newly documented tools between January 2025 and January 2026: a custom backdoor called BurrowShell and a Rust-based remote access trojan equipped with keylogging capability.​

The campaign ran two separate attack paths, both launched through spear-phishing. The first used PDF lure documents with a blurred page and a fake “Download file” button.

Clicking it redirected victims to a ClickOnce application manifest that silently dropped a multi-stage malware chain onto their device.

The second path used macro-enabled Excel spreadsheets that, once opened, quietly downloaded and executed malicious payloads from attacker-controlled servers.​

Arctic Wolf analysts identified both attack chains as part of a single coordinated operation. Each relied on DLL search order hijacking to run malicious code through trusted Microsoft processes.

By placing rogue DLLs next to legitimate, signed Microsoft binaries, the attackers executed their tools inside processes that security software typically treats as safe.​

The supporting infrastructure behind this campaign was considerable. Arctic Wolf researchers traced 112 unique Cloudflare Workers domains registered between January 2025 and January 2026 — an eight-fold increase from 13 domains documented in prior reporting.

Each domain was named to impersonate real government entities, including the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, and Bangladesh Bank. Domain registrations peaked in July 2025, with 42 new domains added in a single month.​

Targeted sectors in Pakistan included nuclear oversight, defense logistics, telecommunications, and government administration. In Bangladesh, the group focused on energy utilities, financial institutions, and media organizations.

This pattern aligns with intelligence-collection priorities tied to regional competition in South Asia, and the year-long campaign with expanding infrastructure signals organized, long-term intent.​

Inside the BurrowShell Infection Chain

BurrowShell is an in-memory shellcode implant delivered through the ClickOnce attack chain.

The infection begins when a malicious loader, mscorsvc.dll, is pulled in by a renamed Microsoft .NET binary — NGenTask.exe, delivered as OneDrive.exe — placed in the same folder. Before executing any payload, the loader checks whether the parent process is running from an approved directory.

If the check fails, the malware shuts down immediately to prevent execution inside analysis sandboxes.

If the location check passes, the loader writes a registry entry under SoftwareMicrosoftWindowsCurrentVersionRun so that OneDrive.exe launches on every reboot, keeping the infection persistent.

It then reads an RC4-encrypted file called system32.dll and decrypts it using a hardcoded 32-character key, releasing BurrowShell into memory. Because the shellcode never lands on disk as a standalone file, file-scanning tools are far less likely to detect it.​

Once active, BurrowShell connects to its command-and-control server over port 443 and disguises its traffic as Windows Update communications.

After registering the infected host with system details, it enters a continuous loop of heartbeat check-ins while waiting for commands. The implant supports fifteen commands — file operations, screenshot capture, shell execution, and SOCKS proxy tunneling.

The Rust-based keylogger, deployed through the Excel macro path, extends these capabilities with keystroke recording, port scanning, and network enumeration.​

Organizations in government, defense, and critical infrastructure should take specific defensive steps.

Email security tools should block PDF files with embedded URLs pointing to Cloudflare Workers subdomains, and macro execution in externally received Office documents should be disabled.

Network teams should monitor connections to *.workers.dev domains and enable SSL/TLS inspection for encrypted traffic to suspicious destinations.

Endpoint rules should flag NGenTask.exe or phoneactivate.exe loading DLLs from non-standard paths and alert on unexpected CurrentVersionRun registry entries.

Regular security awareness training is critical, as both attack paths depend on a victim taking a deliberate action — clicking a button or enabling macros.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.