SloppyLemming
SloppyLemming is an India-nexus cyber-espionage threat actor, also tracked as Outrider Tiger and Fishing Elephant. Reporting in the provided content attributes campaigns from at least 2021 or 2022 through January 2026 to this cluster, with targeting focused on government, law enforcement, defense, energy, telecommunications, technology, and other critical infrastructure entities in Pakistan and Bangladesh, and additional historical targeting noted in Sri Lanka, Nepal, Indonesia, China, and broader South and East Asia. Specific victim sectors and entities mentioned include Pakistani nuclear regulatory, defense logistics, navy, telecom, and government organizations, as well as Bangladeshi energy utilities and financial institutions. The actor is described as conducting cyber-espionage aligned with Indian state intelligence collection requirements or Indian government interests. Arctic Wolf assessed the group as moderately capable. Observed tradecraft includes spear-phishing and social engineering using PDF lures and macro-enabled Excel documents; trust-based execution chains involving ClickOnce, LNK, and ISO files; DLL side-loading and search-order hijacking; use of legitimate Microsoft binaries; persistence via Run keys; screenshot capture; keylogging; remote shell execution; file manipulation; network tunneling via SOCKS proxy; port scanning; and network enumeration. The content also notes use of Cloudflare Workers infrastructure, including government-themed typosquatting domains for payload delivery and command-and-control, and prior use of Havoc, Cobalt Strike, Ares RAT, WarHawk, and a custom NekroWire RAT. Malware and tooling directly mentioned in the content include BurrowShell, a full-featured backdoor with file manipulation, screenshot capture, remote shell execution, and network tunneling capabilities, and a Rust-based RAT/keylogger with reconnaissance features. The actor is also described as producing multiple malware variants in AI-assisted and non-mainstream programming languages, and as shifting toward Rust-based tooling in more recent campaigns.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- PK
Tradecraft
34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
6 malware families attributed to this actor across reporting.
1 additional family tracked in Mallory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Uses trust-based execution chains including ClickOnce, LNK, and ISO, and develops multiple malware variants in AI-assisted and non-mainstream programming languages.
Activity cluster reported deploying BurrowShell and a Rust-based RAT, targeting Pakistan and Bangladesh.
Deploying BurrowShell and a Rust-based RAT in operations targeting Pakistan and Bangladesh.
Conducting cyber-espionage style intrusions against government and critical infrastructure in South Asia using spear-phishing and malicious Excel/PDF lures to deliver a loader that deploys the BurrowShell backdoor, and a second chain delivering a Rust-based keylogger with port scanning and network enumeration; leveraging Cloudflare Workers domains for C2.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.