The state-aligned threat actor tracked as "Sloppy Lemming" has notably increased its operational pace over the past year. Targeting nuclear-regulatory bodies, defense organizations, and critical infrastructure in Pakistan and Bangladesh, the group has adopted more complex methods to bypass standard network defenses.
According to research from Arctic Wolf, the group is transitioning away from standard adversary simulation software, such as Cobalt Strike and Havoc, toward custom implants written in the Rust programming language. Concurrently, the actor has scaled its command-and-control (C2) infrastructure using Cloudflare’s serverless Workers platform, expanding including 13 known domains last year and at least 112 domains today.
Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf, observes that regional state-aligned groups are refining their operational methods. "Years ago, we would only see some nation-states groups, some cybercriminal groups, and maybe some hacktivist groups in the region," he states. "What we're seeing now is more groups and more noise and more people trying to get [critical] information and more regionalized cyber-espionage campaigns as well."
Geopolitical context and operational focus
This digital activity aligns with heightened geopolitical tensions in South Asia. Recent events include military actions along the Pakistan-Afghanistan border and public statements from Pakistani leadership regarding defensive readiness following India's Operation Sindoor in May 2025. In this environment, digital intelligence operations frequently parallel physical geopolitical developments.
As regional tensions influence these operations, Sloppy Lemming’s methods contrast with those of other major state-aligned actors. Rather than relying on zero-day vulnerabilities in edge network devices, this group primarily utilizes phishing and credential collection.
Arctic Wolf’s analysis identifies two primary execution sequences. The first relies on a PDF document that directs the recipient to a ClickOnce application manifest, ultimately using DLL sideloading to execute a custom shellcode backdoor dubbed BurrowShell. The second sequence uses macro-enabled Excel spreadsheets to deploy a Rust-based keylogger and reconnaissance tool.
Shared resources across regional groups
Security organizations observe that Sloppy Lemming (also tracked as Outrider Tiger and Fishing Elephant) shares characteristics with other regional groups. Proofpoint monitors several overlapping clusters, including TA397 (Bitter), TA399 (Sidewinder), and TA395 (Frantic Tiger). These groups occasionally use similar thematic lures, share compromised accounts, and focus on the same individuals.
Proofpoint researchers indicate this pattern points to shared resources or coordinated tasking across distinct teams. This could represent different contractors working for the same government client, distinct teams within a larger intelligence framework, or simply the reuse of assets across different operations.
However, independent operational clusters remain. Noushin Shabab, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), tracks groups like Dropping Elephant and Mysterious Elephant, noting they do not overlap with Sloppy Lemming.
"They appear to be separate entities with their own unique characteristics, and we have not found any evidence to suggest that they are operational sub-groups or the same actor," Shabab says. "This distinction is important, as it implies that each group has its own goals and areas of focus, and should be tracked and analyzed separately to fully understand their activities and potential impacts."
Kaspersky notes that Mysterious Elephant focuses primarily on diplomatic, military, and defense institutions. In contrast, Sloppy Lemming concentrates on nuclear, defense and telecommunications providers.
Infrastructure tactics and configuration errors
The shift toward Rust and other memory-safe languages makes reverse engineering more difficult for defenders. Additionally, the adoption of Cloudflare Workers, Pages, and protected domains provides the group with scalable, anonymous infrastructure. Shabab explains that this serverless approach allows threat actors to dynamically serve files, obscure their true C2 locations, and bypass traditional perimeter controls.
Despite these technical upgrades, Sloppy Lemming's operational security remains inconsistent. Their reliance on Excel macros indicates they frequently target environments with permissive security configurations or unpatched software. Furthermore, Arctic Wolf researchers discovered several C2 servers operating with open directories. This configuration error exposed their staging environment and allowed security teams to safely analyze the group's Havoc C2 artifacts and identify encryption keys.
Valenzuela notes that this mix of custom tooling and fundamental configuration errors is characteristic of the group. "Sometimes we always talk about how sophisticated these adversaries may be, but the operational security that these guys have is not on par with a lot of other groups that are usually doing cyber-espionage campaigns," he says. "They continue to be Sloppy Lemming."