MalwareUsed by 3 actors

NekroWire RAT

NekroWire RAT is a custom remote access trojan previously used by the threat activity cluster SloppyLemming, also tracked as Outrider Tiger and Fishing Elephant. Arctic Wolf reported that SloppyLemming had previously used Cobalt Strike, Havoc, Ares RAT, WarHawk, and the custom NekroWire RAT in campaigns targeting government and critical infrastructure entities in South Asia. The reporting ties SloppyLemming activity to espionage-focused targeting of organizations in Pakistan and Bangladesh, with broader historical targeting including government, law enforcement, energy, telecommunications, and technology sectors in Pakistan, Sri Lanka, Bangladesh, and China. The provided content does not describe NekroWire RAT’s internal functionality, infection chain, persistence, command-and-control protocol, or specific indicators of compromise beyond its identification as a custom RAT associated with SloppyLemming.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

SloppyLemming

"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT"

via the hacker newsthehackernews.com

Fishing Elephant

"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT."

via arctic wolf blogarcticwolf.com

Outrider Tiger

"...borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT."

via arctic wolf blogarcticwolf.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583.001DomainsEvidence1

TacticResource Development

“Infrastructure analysis identified 112 Cloudflare Workers domains registered between January 2025 and January 2026…”

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Mar 3, 2026

SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains

Custom remote access trojan previously reported in SloppyLemming tooling (no additional capabilities described in this content).

arctic wolf blogNews

Mar 2, 2026

SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh - Arctic Wolf

Custom remote access trojan referenced as previously used by SloppyLemming; not analyzed in detail in this report’s described intrusion chains.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.