India🇮🇳 IN4 malware families

Outrider Tiger

Also known asOUTRIDER TIGER

Outrider Tiger is an India-linked espionage threat actor referenced as connected to the cluster dubbed Sloppy Lemming and also associated by researchers with Fishing Elephant. Reported targeting includes nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, with Arctic Wolf additionally assessing a focus on nuclear, defense, logistics, and telecommunications providers. Observed tradecraft includes phishing- and credential-theft-centric intrusion activity, including a PDF lure that redirects victims and a macro-enabled Excel delivery chain that drops a Rust-based keylogger. The actor has been described as evolving from use of Cobalt Strike and Havoc C2 toward custom tooling written in Rust, while expanding cloud-based command-and-control infrastructure through Cloudflare Workers. The reporting also notes operational security mistakes on some C2 infrastructure, including open directories that allowed researcher access. Alias explicitly mentioned in the provided content: Sloppy Lemming; the content also states it is connected to Fishing Elephant.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇵🇰 Pakistan
🇧🇩 Bangladesh

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics48 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.001×2

Domains

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001×4

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1059.005×2

Visual Basic

T1204

User Execution

T1204.002

Malicious File

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1140×2

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1218.007

Msiexec

T1574

Hijack Execution Flow

T1574.001

DLL

TA0006

Credential Access

2 techniques

T1056

Input Capture

T1056.001×3

Keylogging

T1555

Credentials from Password Stores

TA0007

Discovery

4 techniques

T1046

Network Service Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

3 techniques

T1056

Input Capture

T1056.001×3

Keylogging

T1113×2

Screen Capture

T1560

Archive Collected Data

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1090.001

Internal Proxy

T1090.003

Multi-hop Proxy

T1102

Web Service

T1102.002

Bidirectional Communication

T1571

Non-Standard Port

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BurrowShell"...delivery of a malicious PDF holding malware known as BurrowShell — a backdoor that allows hackers to take screenshots and manipulate a file system."2Mar 2, 2026

Cobalt Strike"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..."1Mar 2, 2026

Havoc"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc..." and "...components associated with the Havoc post-exploitation C2 framework... Havoc shellcode payload..."1Mar 2, 2026

NekroWire RAT"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT."1Mar 2, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

dark readingNews

Mar 3, 2026

Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure

India-nexus activity cluster reported as connected/overlapping with Sloppy Lemming; associated with regional cyber-espionage targeting in South Asia.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.