A technical analysis by Arctic Wolf reported that the SloppyLemming threat cluster conducted attacks on government entities and critical infrastructure in Pakistan and Bangladesh between January 2025 and January 2026, using two attack chains to deliver a backdoor called BurrowShell and a Rust based keylogger.
KEY FACTS
- Incident Targeted government and critical infrastructure in Pakistan and Bangladesh
- Timeline January 2025 to January 2026
- Malware BurrowShell backdoor and a Rust based keylogger
- Delivery Spear-phishing with PDF lures and macro enabled Excel documents
- Infrastructure 112 Cloudflare Workers domains registered during the period
The campaign used spear-phishing emails carrying PDF decoys and macro enabled Excel files to start infections. PDF links led to ClickOnce manifests that deployed a legitimate .NET executable and a malicious DLL loader which used DLL side loading to run an in memory shellcode implant named BurrowShell.
BurrowShell provides file system manipulation, screenshot capture, a remote shell and SOCKS proxy capabilities. The implant disguised its command and control traffic as Windows Update service communications and protected payloads with RC4 using a 32 character key.
The second attack chain dropped a Rust based keylogger and included routines for port scanning and network enumeration. The actor also registered a large number of Cloudflare Workers domains during the year and used government themed typo squatting patterns in its infrastructure.
WHY IT MATTERS
The combination of an in memory backdoor and an information stealing keylogger expands the actor’s ability to maintain access and collect credentials. The increased use of Cloudflare Workers infrastructure and ClickOnce based delivery complicates detection and response for affected organisations.