An espionage campaign last year targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka, researchers at the cybersecurity firm Arctic Wolf said Monday.
The researchers attributed the campaign to an India-nexus threat actor they call SloppyLemming and said it was an expansion of threat activity previously identified by Cloudflare in September 2024.
The campaign ran for a year beginning in January 2025 and featured two different types of attacks. One involved the delivery of a malicious PDF holding malware known as BurrowShell — a backdoor that allows hackers to take screenshots and manipulate a file system. Another attack method saw attackers send a malicious Excel document that had malware with a keylogger and reconnaissance capabilities.
“The technical analysis reveals a threat actor operating with moderate capability: the multi-stage execution chains demonstrate understanding of defense evasion techniques and shows familiarity with Windows internals, while the operational security failures – particularly the open directory exposures – indicate areas where tradecraft falls short of the capabilities of more disciplined threat actors,” Arctic Wolf researchers said.
“This assessment aligns with the ‘Sloppy’ designation in the group’s name, which references their historically inconsistent operational security.”
The attackers used 112 Cloudflare domains registered last year that staged malware and had Pakistani and Bangladeshi government-themed names designed to trick victims.
Incident responders noted that the campaign targeted Pakistani nuclear regulatory bodies like the Pakistan Nuclear Regulatory Authority, defense logistics organizations, and telecommunications infrastructure – alongside Bangladeshi energy utilities and financial institutions.
The Pakistan Navy and National Logistics Corp, as well as energy utilities like Pakistan’s DESCON and the Power Grid Company of Bangladesh were targeted. The attackers also went after the telecommunications providers Special Communications Organization and the Pakistan Telecommunication Company.
The researchers said SloppyLemming has been conducting cyber-espionage attacks since at least 2021 and has targets aligning with the Indian government’s interests.
The campaigns typically start with social engineering or spearphishing emails containing the malicious documents.
When the documents are opened, victims see blurred out content covered by text claiming “PDF reader is disabled.” Victims are prompted to take further actions that enable hacker access.
The malware includes a keylogger as well as mechanisms that enable persistence, network scanning, screenshot taking, and more. At least one of the malicious emails impersonated a Bangladeshi financial institution.
Arctic Wolf found some overlaps between their findings and those disclosed by cybersecurity firm Trellix in October 2025.
Cloudflare previously said the SloppyLemming campaign started in late 2022 and primarily targeted Pakistan but also launched attacks against Sri Lanka, Nepal, Bangladesh, Indonesia and China, with a specific focus on government, law enforcement, energy, telecommunications, and technology entities.
Cloudflare did not link the campaign to actors in India but said it aligned with a threat actor tracked by incident response firm Crowdstrike as “Outrider Tiger.” Crowdstrike described the threat actor as an “India-nexus targeted intrusion adversary” that “employs sophisticated credential harvesting techniques” and offers to “support Indian state intelligence collection requirements.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
