THE threat cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh, with activity taking place between January 2025 and January 2026. The campaign uses two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger, marking a notable evolution in tooling by adopting Rust alongside prior languages and frameworks.
According to Arctic Wolf, spear-phishing emails deliver PDF lures and macro-enabled Excel documents to start the infection chains, with the PDFs guiding victims to ClickOnce manifests that deploy a legitimate .NET runtime executable and a malicious loader, then decrypt and execute BurrowShell via DLL side-loading.
The second chain drops the keylogger through Excel macros and includes features for port scanning and network enumeration, while investigators found 112 Cloudflare Workers domains registered during the year, an eight-fold increase from 13 domains flagged in September 2024. SloppyLemming has previously targeted Pakistan, Sri Lanka, Bangladesh, and China since 2022, and the report notes a pattern of government and energy or financial-sector targets in the region, according to Arctic Wolf.