SloppyLemming’s Espionage Campaign Targets South Asia
A recent report from Cloudforce One has detailed a cyber espionage campaign orchestrated by a threat actor dubbed SloppyLemming, targeting government, defense, telecommunications, and energy sectors across South and East Asia. The campaign, which began in late 2022 and continues into 2024, primarily focuses on Pakistan but extends its reach to Bangladesh, Sri Lanka, Nepal, and even China.
SloppyLemming, also known as OUTRIDER TIGER by CrowdStrike, is a sophisticated threat actor using a blend of open-source adversary emulation frameworks such as Cobalt Strike and Havoc to execute its attacks. Although its operations focus heavily on Pakistan, the group has demonstrated a broader interest in South Asia’s defense, technology, and government sectors.
One of the central methods used by SloppyLemming involves phishing. The actor sends spear-phishing emails designed to lure victims into revealing sensitive information by clicking on malicious links. To facilitate this, they developed a custom tool named CloudPhish, which leverages Cloudflare Workers to collect and exfiltrate credentials.
The CloudPhish tool operates by scraping login pages from targeted organizations, modifying legitimate webmail portals (such as Zimbra or cPanel) with malicious code, and logging user credentials to a Discord Webhook. These credentials are then used to access sensitive email accounts within targeted organizations. Cloudforce One was even able to replicate parts of SloppyLemming’s credential harvesting chain, gaining unprecedented access to the attacker’s side of operations.
In addition to traditional credential harvesting, SloppyLemming has also focused on collecting Google OAuth tokens, which can be used to gain access to users’ Google accounts without needing their passwords. The tokens are collected through malicious PDF decoy documents loaded via Cloudflare Workers, which redirect victims to credential-stealing websites. One such instance targeted Taxila Heavy Industries, a key Pakistani defense contractor, with a fake contract update PDF as the bait.
SloppyLemming’s malware operations show a reliance on WinRAR vulnerability (CVE-2023-38831) to deliver Remote Access Tools (RATs). In a recent example, the actor used a Dropbox-hosted RAR file disguised as a legitimate PDF document. When opened with a vulnerable version of WinRAR, the file executed malicious code to sideload a DLL and establish command-and-control (C2) communications through Cloudflare Workers. The final payload enabled SloppyLemming to gain remote access to infected machines.
While the majority of SloppyLemming’s operations focus on Pakistan, Cloudforce One’s analysis reveals that the group is expanding its target scope. Significant activity has been observed in Bangladesh, Sri Lanka, and China, particularly targeting government, military, and energy sector entities. Of particular concern is the group’s recent attention to Australia, where C2 traffic originating from Canberra suggests a possible targeting of Australian governmental institutions.
For more information on Cloudforce One’s full report, visit their website for a detailed breakdown of SloppyLemming’s tactics and infrastructure.
