The BurrowShell Threat: Inside ‘Sloppy Lemming’s’ Stealthy Cyber Espionage Campaign in South Asia
Ddos 
Execution chain diagram | Image: Arctic Wolf
Cybersecurity researchers at Arctic Wolf have released a comprehensive analysis of a massive, year-long cyber espionage operation conducted by the India-nexus threat actor known as Sloppy Lemming (also tracked as Outrider Tiger and Fishing Elephant). Between January 2025 and January 2026, the group targeted high-value government and critical infrastructure entities across Pakistan and Bangladesh with surgical precision.
The report reveals a significant expansion in the known capabilities and operational scope of Sloppy Lemming. While previously recognized for simpler operations, this latest campaign demonstrates “dedicated operational commitment,” featuring 112 unique domains and sophisticated custom tooling.
The primary targets align with strategic regional competition:
- Pakistan: Nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure.
- Bangladesh: Energy utilities and financial institutions.
The highlight of this campaign is the deployment of a custom x64 shellcode implant named BurrowShell. This backdoor is far from a generic malware strain; it is a “purpose-built implant with mature operational features” designed for deep-system persistence.
BurrowShell provides the attackers with full filesystem manipulation, remote shell execution, and the ability to capture screenshots of the victim’s device.
To avoid raising red flags, the implant’s design is heavily focused on evasion. As the Arctic Wolf analysis explains, “The implant’s design choices of dynamic API resolution, traffic masquerading as Windows Update communications, and RC4 encryption, indicate deliberate effort to evade detection and maintain persistent access”.
It also features SOCKS proxy capabilities, allowing the threat actor to tunnel further into a compromised network.
Sloppy Lemming utilized two distinct methods to breach their targets:
- The PDF/ClickOnce Chain: Victims were sent PDF lure documents that redirected them to ClickOnce application manifests. This triggered a DLL sideloading package that eventually decrypted and executed the BurrowShell implant.
- The Excel/Rust Chain: A secondary vector used macro-enabled Excel documents to deliver a Rust-based keylogger, showcasing the group’s ability to “deploy appropriate tools based on target value and operational requirements”.
The group’s infrastructure is notably resilient, leveraging Cloudflare Workers to create “legitimate-appearing infrastructure that complicates network-based detection and blocking efforts”.
Arctic Wolf concludes that the focus on nuclear and defense assets “aligns with intelligence collection priorities consistent with regional strategic competition in South Asia”. Organizations within these critical sectors are urged to implement advanced defensive measures to mitigate the risk posed by this persistent and evolving threat actor.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
