A threat actor tracked as SloppyLemming spent an entire year quietly burrowing into Pakistan and Bangladesh's nuclear regulators, navy, power grids, and banks — and then left their own staging servers wide open for anyone to peek inside. That contradiction tells you everything you need to know about this group.
When Arctic Wolf published its March 2026 report on SloppyLemming, it wasn't just another APT writeup. It documented something genuinely notable: a threat actor that had quietly scaled its infrastructure eightfold, developed two previously undocumented malware families, and spent twelve straight months targeting the most sensitive institutions in South Asia — nuclear oversight, defense logistics, national telecommunications — all while leaving its staging servers accidentally exposed to the open internet.
That combination of operational ambition and operational carelessness is the defining signature of this group. But the more you look at the details — the target selection, the timing of the infrastructure surge, the shift from credential theft to persistent backdoor access, the borrowed tooling from a rival nation-state's toolkit — the more this campaign reads less like a technical event and more like a direct response to a rapidly deteriorating geopolitical environment. Understanding that context is what separates a useful threat intelligence report from a genuinely useful one.
This article covers the technical mechanics fully. But it also asks the questions the vendor reports don't: Why did 42 new domains appear in a single month? What does "moderate confidence" attribution actually mean, and what would change it? Why is a suspected India-aligned actor borrowing tools from a suspected Pakistan-origin group to spy on Pakistan? And what does the shift from stealing credentials to living inside networks tell us about how this actor's intelligence tasking changed?
Who Is SloppyLemming?
The name SloppyLemming belongs to Cloudflare's threat intelligence team, Cloudforce One, which first publicly documented this actor in September 2024. The same actor is tracked as Outrider Tiger by CrowdStrike and as Fishing Elephant in other threat intelligence circles. All three names point to the same cluster of activity — a suspected India-aligned espionage operation assessed to have been active since at least July 2021 per Cloudflare's original threat intelligence, with documented Cloudflare Workers abuse beginning in late 2022.
The India-nexus attribution is assessed with moderate confidence, not certainty. CrowdStrike has previously described Outrider Tiger as an adversary employing sophisticated credential harvesting techniques in support of Indian state intelligence collection. Cloudflare's original 2024 report stopped short of making a country-level attribution, noting only that targeting patterns aligned with South Asian regional interests. Arctic Wolf's 2026 research maintains the same measured framing, calling SloppyLemming a "suspected India-aligned threat actor" — language that is worth keeping in mind when reading other coverage that presents the attribution as settled fact.
What is not disputed is the targeting scope. SloppyLemming has consistently gone after government, law enforcement, energy, telecommunications, and technology entities across Pakistan, Bangladesh, Sri Lanka, Nepal, China, and Indonesia — and, based on C2 traffic Cloudflare observed near Canberra in September 2024, potentially Australia as well. Pakistan is the primary target. It always has been.
Earlier campaigns, documented before the 2025 reporting period, relied on a toolkit that included Ares RAT (a tool often linked to the SideCopy threat cluster), WarHawk (associated with SideWinder), and a custom credential harvesting tool called CloudPhish that scraped legitimate webmail portals, injected malicious code, and exfiltrated stolen credentials directly to Discord webhooks. Additionally, some 2024 attacks used booby-trapped RAR archives likely exploiting the WinRAR vulnerability CVE-2023-38831 — a file extension spoofing flaw in WinRAR versions before 6.23 that allowed attackers to execute arbitrary code when a victim opened what appeared to be a benign file inside an archive.
The SideCopy attribution for Ares RAT is worth noting for its geopolitical irony: SideCopy is widely assessed to be a Pakistan-origin actor. A suspected India-aligned group borrowing tools from a suspected Pakistan-origin group to spy on Pakistan is precisely the kind of tradecraft cross-pollination that complicates attribution and makes incident response harder. The Discord credential routing from CloudPhish illustrates that same pattern — technically capable infrastructure decisions (Cloudflare Workers, legitimate cloud services) combined with operationally sloppy tradecraft (routing stolen government credentials through a gaming and community chat platform).
There is a deeper point here about how tool borrowing affects attribution logic. When a threat actor uses commodity tools — Cobalt Strike, Havoc, Ares RAT — the tools themselves provide weak attribution signal because they are used by many different actors. The attribution value shifts to victimology and infrastructure patterns: who was targeted, with what specificity, across what time period, using what naming conventions. SloppyLemming's consistent, years-long focus on Pakistani nuclear oversight, naval operations, defense logistics, and Bangladeshi institutions during periods of India-Bangladesh diplomatic stress is a stronger attribution indicator than any individual tool choice, precisely because that target selection is not randomly replicable. A criminal actor has no financial motivation to target Pakistan's nuclear regulator specifically. A hacktivist has no obvious cause that would produce that specific target profile over three years. The victimological consistency is the primary attribution anchor — the tools are almost beside the point. This is also why the moderate-confidence assessment survives the tool-borrowing evidence: tool mimicry can explain a single campaign, but it does not plausibly explain three years of consistent target selection that tracks India's specific regional intelligence priorities.
Cloudflare Cloudforce One's September 2024 report noted that the actor's poor OPSEC was itself what gave researchers a window into its tooling and operations.
That OPSEC observation from Cloudflare's 2024 report aged extremely well. The 2025-2026 campaign made the same mistake, at greater scale.
The 2025-2026 Campaign: What Changed
Between January 2025 and January 2026, Arctic Wolf tracked what it describes as a direct continuation and significant evolution of the SloppyLemming operations Cloudflare had previously documented. The continuity indicators are strong: same Cloudflare Workers infrastructure abuse, same government-themed typosquatting domain patterns, same Havoc C2 framework, same South Asian victim profile. But the scale and tooling had changed substantially.
Infrastructure: 13 Cloudflare Workers domains (2024) vs. 112 (2025–2026) — an eightfold increase. Three of the 2025–2026 domains were left as open directories, a new OPSEC failure not documented in the 2024 campaign.
Tooling: 2024 campaign used Cobalt Strike, Havoc, NekroWire RAT, and CloudPhish credential harvester. 2026 campaign retains Havoc but adds two previously undocumented custom implants: BurrowShell (in-memory shellcode backdoor) and a Rust-based keylogger/RAT. This is the first documented use of Rust by this actor.
Delivery: 2024 campaign used WinRAR path traversal (via malicious RAR archives exploiting CVE-2023-38831) and credential phishing portals. 2026 campaign uses ClickOnce application manifests and macro-enabled Excel documents — both require victim interaction but exploit trusted Windows mechanisms rather than software vulnerabilities.
Persistence: 2024 documentation focused on credential harvesting. 2026 campaign adds registry-based persistence (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and long-term backdoor access via BurrowShell — indicating a shift from credential theft to sustained network presence.
Attribution confidence: Both reports use "suspected" or "assessed" language. Neither constitutes confirmed government-level attribution. That has not changed.
registered Jan 2025–Jan 2026
in Cloudflare's Sep 2024 report
in July 2025 alone
malware families deployed
The infrastructure expansion alone is a significant signal. Going from 13 to 112 Cloudflare Workers domains in under a year represents an eightfold increase in operational surface area. The peak registration month — July 2025, with 42 new domains — suggests a coordinated push, not organic growth. Someone made a deliberate decision to scale up. The timing of that surge is worth tracking as additional context emerges.
The tooling evolution is equally significant. Prior SloppyLemming campaigns relied on borrowed frameworks — Cobalt Strike, Havoc, and a custom but conventional RAT called NekroWire. The 2025-2026 campaign introduced two new malware families that Arctic Wolf believes had not been publicly documented before: a custom x64 shellcode backdoor they named BurrowShell, and a Rust-based keylogger with extended reconnaissance capabilities.
Earlier SloppyLemming campaigns used borrowed adversary simulation frameworks — specifically Cobalt Strike and Havoc — alongside a custom RAT called NekroWire. Prior reporting also documented use of Ares RAT (associated with the SideCopy cluster) and WarHawk (associated with SideWinder), as well as the actor's custom credential-harvesting tool CloudPhish, which routed stolen logins through Discord. The shift to custom Rust tooling in 2025–2026 marks a maturation in in-house development capacity and makes detection harder, since defenders have fewer historical signatures to work from.
Why July 2025: The Geopolitical Context Behind the Surge
Infrastructure registration peaked at 42 new Cloudflare Workers domains in July 2025. That specific timing is not random, and treating it as a neutral data point means missing the most important piece of context in this entire campaign.
On April 22, 2025, 26 civilians were killed in a terrorist attack in Pahalgam, in Indian-administered Kashmir. India attributed the attack to Pakistan-based militant groups and, on May 7, launched Operation Sindoor — an 88-hour tri-service campaign that began with precision strikes on nine targets associated with Jaish-e-Mohammed and Lashkar-e-Taiba in Pakistan and Pakistan-administered Azad Kashmir, then escalated through Pakistani retaliatory strikes and India's subsequent targeting of Pakistani air bases. Pakistani state media reported that Prime Minister Shehbaz Sharif had convened a meeting of the National Command Authority on May 9 — though Pakistan's Defence Minister Khawaja Asif denied any such meeting took place. Regardless of whether the NCA formally convened, the nuclear signaling was unmistakable: Asif had stated on April 28 that Pakistan would use nuclear weapons only if there was "a direct threat to our existence." India's strikes near the Nur Khan air base — adjacent to Pakistan's Strategic Plans Division, which oversees nuclear forces — alarmed US officials enough that Secretary of State Marco Rubio initiated emergency phone calls beginning at 4:00 PKT on May 10, and US concern about nuclear escalation was explicitly the driver behind the ceasefire intervention. The ceasefire was reached on May 10. The two nuclear-armed neighbors had just fought the most significant military exchange in decades, including what multiple assessments described as the first major drone battle between nuclear-armed states.
July 2025 — the month SloppyLemming registered 42 new domains in a single push — was the immediate post-ceasefire period. India had just conducted strikes against Pakistani territory. Tensions remained acute. Diplomatic de-escalation was still underway. From an intelligence collection standpoint, this is precisely when a state actor would need to know the most about Pakistani nuclear regulatory posture, naval readiness, defense logistics, and telecommunications security. The target list SloppyLemming assembled is not coincidentally identical to the intelligence collection priorities of any government trying to assess Pakistan's military posture after a shooting conflict.
The Bangladesh targeting makes equal sense through this lens, and the full story here is richer than it first appears. On August 5, 2024 — seven months before this campaign began — Prime Minister Sheikh Hasina fled Bangladesh to India following mass student-led protests, ending sixteen years of Awami League rule. The Awami League had been India's closest regional partner: it had handed over ULFA insurgent leaders, cooperated on counterterrorism, and deepened economic connectivity. Its replacement by a Yunus-led interim government hostile to Indian interests was a strategic loss New Delhi was still processing when SloppyLemming's 2025 campaign opened.
The deterioration was rapid and public. In March 2025, Yunus chose China as the destination for his first major state visit — a deliberate signal — and told his hosts that India's northeastern states were "landlocked" and that Bangladesh was the "only guardian of the ocean" that could serve as an extension of the Chinese economy. India reacted with visible anger. By the summer of 2025, Bangladesh's diplomatic posture toward Pakistan had shifted for the first time since the 1971 independence war: direct trade had resumed, senior Pakistani officials had visited Dhaka, and what analysts described as growing warmth in Dhaka's relations with Pakistan and China was alarming Indian strategic planners. Bangladesh's parliamentary elections were scheduled for February 12, 2026 — the BNP-led alliance ultimately won 212 of the 297 seats for which results were announced (BNP itself winning 209 seats directly), with the Jamaat-led alliance finishing second with 77 seats (Jamaat itself winning 68 directly) — elections were held for 299 seats but two Chattogram constituencies were court-barred from having results published — meaning the entire second half of the SloppyLemming campaign window coincided with a contested electoral transition whose outcome India could not predict or control, and with a new government that would be even less aligned with New Delhi.
India's own Chief of Defence Staff Anil Chauhan delivered a pointed warning at the Observer Research Foundation on July 8, 2025, raising alarms over a budding China-Pakistan-Bangladesh strategic alignment. That speech landed in the same month SloppyLemming registered 42 new domains. Bangladesh was no longer a reliable Indian partner. It had become, from an intelligence-collection standpoint, an active blind spot — and the targeting of Bangladesh Bank, the national power grid, and media organizations reflects exactly the kind of collection that would help a state actor understand the economic vulnerabilities and information environment of a government that had just escaped its orbit.
None of this means the SloppyLemming campaign was directly ordered in response to Operation Sindoor. State-linked cyber espionage operations run on timelines that predate any single political event, and the campaign began in January 2025 — before the Pahalgam attack. But the July surge almost certainly reflects an intensified collection requirement that followed the conflict. When governments fight, they need better intelligence on their adversaries. The 42-domain spike is what that requirement looks like in infrastructure telemetry.
Understanding the geopolitical driver behind an infrastructure surge tells defenders something actionable: this actor's operational tempo is tied to regional political events. Pakistani and Bangladeshi government and infrastructure organizations should treat periods of elevated South Asian political tension — military exchanges, diplomatic crises, major elections — as elevated threat windows requiring heightened vigilance for spear-phishing activity and anomalous outbound HTTPS traffic.
From Credential Theft to Persistent Access: A Strategic Shift
The single most strategically significant finding in Arctic Wolf's report is easy to miss if you are focused on the new malware families. The shift from credential harvesting to persistent backdoor access represents a fundamental change in what this actor has been tasked to do.
Cloudflare's 2024 documentation focused heavily on SloppyLemming's credential harvesting operations. CloudPhish, the actor's custom tool, was built to scrape login portals, capture credentials, and exfiltrate them to Discord. The goal was access tokens and passwords — valuable intelligence in its own right, but a one-time collection event. You steal the credentials, you use them to log in and read what's there, and you move on. The victim may eventually detect the unauthorized access, rotate their credentials, and the window closes.
BurrowShell is a fundamentally different proposition. An in-memory shellcode backdoor that persists across reboots via registry Run keys, disguises its C2 traffic as Windows Update, and supports SOCKS proxy tunneling for lateral movement is not built for one-time access. It is built for extended, undetected residency. The goal is not to read the inbox once — it is to be present on the network for months, capturing everything in real time, pivoting to additional hosts, and maintaining that access even if credentials are rotated.
This shift in tooling is a direct signal about a shift in tasking. A credentialed login is snapshot intelligence. A persistent backdoor is continuous intelligence. The difference between knowing what Pakistan's nuclear regulators were discussing last Tuesday and having real-time visibility into their communications is not a technical distinction — it is a strategic one. Persistent access, combined with the Rust keylogger's port scanning and network enumeration capability, suggests this actor was not just trying to read documents. They were trying to understand the architecture of the networks they were in — mapping out the infrastructure, likely to enable either sustained collection or, if the political situation deteriorated further, to have pre-positioned options.
That word — pre-positioned — deserves attention. Cyber espionage and cyber effects operations share the same early-stage tradecraft. The persistent access BurrowShell establishes could serve purely intelligence collection purposes. It could also serve as a foundation for something else entirely, in a scenario where the political situation deteriorated beyond a ceasefire. That is not what the evidence says happened here. But it is the question that the shift from credential theft to persistent access puts on the table.
SloppyLemming ran two parallel attack paths throughout this campaign, both initiated via spear-phishing. The emails were tailored to their targets — government officials, logistics personnel, nuclear regulatory staff — and the lures were designed to look plausible in those contexts.
Chain One: PDF Lure to BurrowShell
The first chain began with a PDF attachment. The document appeared legitimate but contained a deliberate trick: the page was blurred, with a fake prompt telling the victim their PDF reader was disabled and inviting them to click a download button. That click redirected to a ClickOnce application manifest hosted on one of SloppyLemming's 112 Cloudflare Workers domains.
The ClickOnce manifest deployed two files onto the victim machine: a legitimate, digitally signed Microsoft .NET runtime executable called NGenTask.exe (delivered with the filename OneDrive.exe to blend in) and a malicious loader named mscorsvc.dll. When NGenTask.exe ran, it automatically loaded mscorsvc.dll from the same directory — this is DLL search order hijacking, one of the oldest and most reliable Windows abuse techniques in the book. The loader then decrypted and executed BurrowShell entirely in memory.
The PDF lure itself used two complementary social engineering elements: the document content appeared blurred or redacted, accompanied by a message claiming "PDF reader is disabled" alongside a fake "Download file" button. Both elements work together to manufacture urgency — you cannot read the document you presumably need, and there is an obvious-seeming button to fix it. The blurring prevents the victim from assessing whether the document is worth their time, while the "disabled reader" message provides a plausible technical explanation for why they need to click.
Chain Two: Excel Macro to Rust Keylogger
The second chain used macro-enabled Excel spreadsheets. When a victim opened the file and enabled macros, the document executed code that downloaded a renamed Microsoft binary — this time phoneactivate.exe — and placed it alongside a malicious DLL called sppc.dll. The same DLL sideloading technique applied: the legitimate signed binary loads the malicious DLL from its working directory, which then deploys the Rust-based keylogger payload. Notably, security researchers have observed that in some configurations the malicious macro code can programmatically lower the host's macro security settings, which reduces the degree of user interaction required for subsequent execution — making this chain more dangerous than a standard "enable macros" scenario on inadequately hardened systems.
Both chains achieve code execution through the same fundamental technique — DLL search order hijacking using trusted, signed Microsoft executables — which means both share a common detection opportunity. Any time NGenTask.exe or phoneactivate.exe loads a DLL from a non-standard path, that should be an immediate red flag.
BurrowShell: The Backdoor That Pretends to Be Windows Update
BurrowShell is the more capable of the two implants. It is a full-featured, in-memory x64 shellcode backdoor — meaning it runs entirely in RAM and never writes itself to disk as a standalone file after the initial loader executes, which complicates detection with traditional file-based security tools.
Before releasing BurrowShell at all, the loader performs an anti-sandbox check: it validates whether the parent process is running from an approved directory. If the check fails — as it would inside most automated malware analysis sandboxes — the loader shuts down immediately and exits cleanly, producing no observable malicious behavior. This is a deliberate anti-analysis measure that has meaningful consequences for detection pipelines that rely on automated sandboxing to classify new samples. A sample submitted to a sandbox from a non-standard path gets classified as benign. Only samples submitted from paths the loader considers approved will execute the payload and reveal BurrowShell's true behavior. If your malware analysis pipeline does not account for this, you will see clean sandbox results for what is actually a fully functional backdoor.
When the location check passes, the loader reads an RC4-encrypted file called system32.dll and decrypts it using a hardcoded 32-character key, releasing BurrowShell directly into memory. The file is never written to disk as a standalone executable. Arctic Wolf also notes that BurrowShell uses dynamic API resolution — resolving Windows API function addresses at runtime rather than listing them in the import table — which helps the implant evade static analysis tools that scan for known API call patterns associated with malicious behavior.
Arctic Wolf's March 2026 report describes BurrowShell as a fully capable backdoor giving operators access to file system operations, screenshots, remote shell execution, and SOCKS proxy tunneling — with C2 traffic designed to pass as Windows Update communications and payload protection via RC4 encryption using a 32-character key.
The Windows Update traffic masquerading is particularly clever. Outbound HTTPS traffic to what appears to be Microsoft update infrastructure blends into legitimate network noise on almost every corporate and government network. Defenders who are not doing deep SSL/TLS inspection — and many are not — will miss it entirely. Combined with RC4 encryption using a 32-character key, the C2 communications are protected against passive interception even when the masquerade fails.
Once the location check passes and BurrowShell is decrypted into memory, the loader writes a registry persistence entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to OneDrive.exe (the renamed NGenTask.exe), ensuring the implant reloads automatically on every system reboot. This persistence mechanism is one of the most reliable detection opportunities defenders have — any new Run key created by a .NET runtime binary is an immediate red flag.
Arctic Wolf documented fifteen distinct commands BurrowShell supports, covering the full espionage toolkit: file system browsing and manipulation, screenshot capture, remote shell execution, and SOCKS proxy tunneling. That SOCKS proxy capability is significant — it allows operators to pivot laterally through a compromised network using the infected machine as a relay, without needing to deploy additional implants on new hosts. One foothold becomes a gateway.
The code also contains an internal mechanism referred to as "OneCollector" — language that mimics the naming conventions of legitimate Microsoft telemetry endpoints. This is deliberate obfuscation, designed to make the implant look like expected system behavior to anyone who stumbles across it in memory or a process list.
BurrowShell communicates over port 443 and disguises its traffic as Windows Update. Standard firewall rules will not block it. Effective detection requires behavioral analysis: monitoring for NGenTask.exe spawning unexpected network connections, or flagging HTTPS traffic whose user-agent or certificate details don't match actual Microsoft infrastructure.
The Rust Keylogger: A Capability Upgrade Worth Watching
The second implant is a Rust-based keylogger and remote access tool, and its existence is arguably the most strategically important finding in Arctic Wolf's report. Not because of what it does today, but because of what it signals about where this group is heading.
Arctic Wolf flags the shift to Rust as a significant capability evolution — previous documentation of this actor showed only conventional compiled languages and borrowed frameworks like Cobalt Strike, Havoc, and the custom NekroWire RAT.
Note the distinction Arctic Wolf draws: NekroWire was a custom-built RAT, while Cobalt Strike and Havoc are commercial or open-source adversary simulation frameworks that any threat actor can adopt. SloppyLemming was previously capable of writing its own tools, but NekroWire operated within a familiar C-based paradigm. Rust is a different matter.
Rust has become increasingly popular among threat actors precisely because it is harder for security tools to analyze than C or C++. The language produces binaries with unusual memory management patterns that can confuse both static analysis and emulation-based detection. It is also cross-platform and produces small, efficient executables. When a threat actor previously relying on off-the-shelf frameworks suddenly starts writing Rust, it indicates growing in-house development capability — a team that is investing in its own tooling rather than borrowing from others.
The Rust keylogger in this campaign goes beyond simple keystroke capture. It includes remote command execution, file operations, port scanning, and network enumeration. That combination turns a keylogger into a full reconnaissance platform: operators can capture credentials as they are typed, scan the local network for additional targets, and exfiltrate files of interest — all from one implant.
The division of labor between the two implants is worth noting. BurrowShell handles persistence, C2 communication, and network tunneling — it is the long-term access tool. The Rust keylogger handles collection and local discovery — it is the intelligence-gathering tool. Deploying both means the actor has redundancy: if one implant is detected and removed, the other may survive. It also means the actor can tailor its approach per target, deploying only the tool appropriate to what they need from a given network.
112 Cloudflare Domains and an Open Directory Problem
SloppyLemming's use of Cloudflare Workers infrastructure is not new — it has been a defining characteristic of this actor since at least 2021. What is new is the scale and what it accidentally revealed.
Cloudflare Workers is a legitimate serverless computing platform. Scripts running on Workers can intercept web requests, redirect traffic, log data, and serve files. They live on *.workers.dev subdomains, which are free to create at volume and benefit from Cloudflare's global CDN, making the resulting domains fast, resilient, and difficult to block without also blocking legitimate Cloudflare traffic. For a threat actor, this is nearly ideal infrastructure: cheap, fast, and hidden behind a trusted provider's reputation.
SloppyLemming registered 112 such domains between January 2025 and January 2026 — up from the 13 Cloudflare had documented in its 2024 report. Each domain was named to impersonate a real organization: the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Dhaka Electric Supply Company, Bangladesh Bank, and others. The typosquatting was deliberate and targeted — these weren't generic phishing domains, they were purpose-built lures aimed at specific institution employees who would recognize the names.
But here is where the sloppy in SloppyLemming earns its keep. Three of those 112 Workers instances were left configured as open directories — publicly accessible file listings that exposed staged malware to anyone who knew where to look. Researchers found BurrowShell components and Havoc framework loaders sitting there, each secured with distinct RC4 encryption keys. Those open directories handed Arctic Wolf both tooling samples and confirmation that Havoc was still in active use alongside the new custom implants.
This is a group sophisticated enough to write custom Rust malware, disguise C2 traffic as Windows Update, and build 112 convincingly named government-impersonation domains — yet careless enough to leave three of those domains as open file directories. This pattern is consistent with Cloudflare's 2024 observation that SloppyLemming "displays a lack of operational security." The mistakes are not random; they suggest a team that invests heavily in offensive capability but does not apply equal rigor to operational hygiene.
The infrastructure peak in July 2025 — 42 new domains in a single month — also inadvertently provided a timestamp. That burst of registration activity is the kind of operational signal that threat intelligence teams can use to reconstruct campaign timelines and cross-reference with victim incident reports.
The Cloudflare Workers Problem Nobody Is Solving
SloppyLemming has used Cloudflare Workers infrastructure in every documented campaign, spanning from at least late 2022 through January 2026. That is more than three years of continuous abuse of the same platform. The question worth asking is not just how defenders can monitor for it — but why it remains so useful and what, if anything, has been done about it.
Cloudflare Workers is a legitimate serverless computing platform with genuine and widespread enterprise use. Scripts run at Cloudflare's edge network, benefiting from global CDN coverage, automatic HTTPS, and the trusted reputation of Cloudflare's IP ranges. That last point is the crux: because legitimate traffic also flows through *.workers.dev, blanket blocking by IP or domain suffix would cause significant collateral damage. Security teams are understandably reluctant to block Cloudflare wholesale.
What makes the platform specifically attractive for an actor like SloppyLemming is the combination of features: free subdomain creation at scale (enabling 112 domains without meaningful cost), naming flexibility (enabling precise government-impersonation typosquatting), and traffic that blends into enterprise network baselines because many organizations have legitimate Workers traffic. The Cloudflare infrastructure also provides resilience — if one Workers domain is flagged or taken down, others continue to operate, and new ones can be spun up within minutes.
Cloudflare has noted SloppyLemming's abuse in its own public reporting. The company's Cloudforce One team published the September 2024 report that first named this actor. But between the 13 domains documented in that report and the 112 documented a year later, the infrastructure scaled eightfold on the same platform. That does not mean Cloudflare failed to act — takedowns may have occurred that are not visible in public reporting, and the actor may have simply re-registered. But the public record shows no meaningful disruption to SloppyLemming's Workers-based infrastructure over three-plus years of documented use.
For defenders, this means the realistic goal is not to eliminate Workers-based C2 — it is to detect it early. The naming patterns SloppyLemming uses are consistent: government agency names, telecom provider names, financial institution names, always on *.workers.dev. Threat intelligence teams maintaining watch lists of recently registered Workers subdomains matching critical infrastructure naming patterns would have had significant early warning across this campaign. Most do not have that capability today, which is an argument for building it.
The target list is the clearest window into the strategic intent behind this campaign. This was not opportunistic scanning or ransomware deployment. Every organization SloppyLemming touched falls into a category of direct intelligence value to a state-level actor interested in South Asian regional competition.
In Pakistan, the targets included the Pakistan Nuclear Regulatory Authority (PNRA), the Pakistan Navy, the National Logistics Corp, the Special Communications Organization (SCO), and Pakistan Telecommunication Company Limited (PTCL). These are not random government offices — they represent nuclear oversight, naval operations, military logistics, secure government communications, and national telecom infrastructure. If you were tasked with understanding Pakistan's defense posture, military supply lines, and communications security, these are exactly the organizations you would target.
In Bangladesh, the focus shifted toward economic and energy infrastructure: the Power Grid Company of Bangladesh (PGCB), the Dhaka Electric Supply Company (DESCO), and Bangladesh Bank, alongside media organizations. Access to a national bank and power grid operator provides very different intelligence value than military targets — but it is still high-value collection for an actor assessing a country's economic stability and critical infrastructure vulnerabilities. The inclusion of media organizations is consistent with the actor's interest in monitoring public communications and information flows. At least one of the spear-phishing emails impersonated a Bangladeshi financial institution, according to reporting by The Record.
Arctic Wolf's report also identifies Sri Lanka as a secondary target in this 2025–2026 campaign, with activity directed specifically at defense-related entities there. This is consistent with SloppyLemming's historical targeting of Sri Lankan government and military organizations documented by Cloudflare in 2024, but represents a confirmed continuation of that interest into the current campaign.
Arctic Wolf Labs notes that the campaign's specific focus — Pakistan's nuclear regulators, defense logistics, and telecom infrastructure alongside Bangladesh's power utilities and financial institutions — maps directly onto intelligence collection priorities that reflect South Asia's broader regional competition.
One detail that stands out in the historical record: Cloudflare's 2024 report noted a non-trivial amount of C2 traffic geolocated to Canberra, Australia. That observation has not been followed up in the 2026 reporting, but it raises a question worth watching — whether SloppyLemming's targeting scope is expanding beyond its established South Asian theater. Australia's capital is home to government and intelligence infrastructure that would be consistent with the actor's established collection priorities.
It is also worth noting that some of SloppyLemming's ClickOnce execution techniques overlap with a SideWinder campaign documented by Trellix in October 2025 — specifically the use of PDF-based lures and ClickOnce-enabled execution flows. The resemblance is real but the details differ in ways that matter. SideWinder's PDF lures prompted victims to download the "latest version of Adobe Reader" to view the document, while SloppyLemming's PDFs used a blurred-page trick with a fake "Download file" button. SideWinder's campaign also targeted a European embassy in New Delhi and South Asian diplomatic targets, whereas SloppyLemming's victim set was squarely focused on Pakistani and Bangladeshi government and critical infrastructure. The two groups are not assessed to be the same actor. Arctic Wolf identifies three meaningful distinctions: SideWinder has not been documented using the Havoc C2 framework; SideWinder typically demonstrates more polished operational security; and the use of Rust-based custom tooling is more consistent with SloppyLemming's profile. The overlapping technique most likely reflects independent adoption of an effective delivery mechanism rather than shared infrastructure or collaboration.
What "Moderate Confidence" Attribution Actually Means
Every major report on SloppyLemming uses careful language: "suspected India-aligned," "India-nexus," "assessed with moderate confidence." That phrasing is not hedging or legal caution — it is technically precise language that carries real meaning, and many coverage pieces treat it as boilerplate rather than engaging with what it actually tells us.
In threat intelligence practice, attribution confidence levels reflect the quality and type of evidence available. Low confidence means behavioral overlap and circumstantial indicators. Moderate confidence means a stronger pattern of evidence — consistent targeting that serves a specific state's known collection priorities, infrastructure and tooling reliably associated with a specific cluster over time, and victim selection that does not make sense for any other assessed adversary type. High confidence typically requires technical evidence directly linking infrastructure to known state facilities, corroboration from signals or human intelligence outside the open-source record, or an admission by the actor or sponsor.
Arctic Wolf is explicit about exactly why this campaign sits at moderate and not high confidence. Their report cites three specific limiting factors: limited unique technical indicators (because the techniques used are publicly documented and could be adopted by others), potential for TTP mimicry given how extensively SloppyLemming's prior operations have been publicly described, and — critically — the absence of direct infrastructure overlap with previously attributed campaigns. That third factor is the most important: the 112 new Workers domains do not share identifiable infrastructure with earlier documented SloppyLemming activity in a way that rules out the possibility of a copycat. The behavioral and victimological case is strong. The technical uniqueness case is not airtight.
Arctic Wolf is explicit about why confidence sits at moderate rather than high: the techniques involved are publicly documented and replicable by other actors, prior public reporting on SloppyLemming creates realistic conditions for TTP mimicry, and there is no direct infrastructure overlap connecting this campaign's 112 domains to previously attributed SloppyLemming activity.
SloppyLemming sits at moderate confidence because the open-source case is strong but not conclusive. The targeting — Pakistani nuclear regulators, naval commands, defense logistics, Bangladesh's central bank and power grid in a period when Bangladesh was actively shifting away from India toward China and Pakistan — is consistent with Indian state collection priorities. CrowdStrike's Outrider Tiger attribution predates Cloudflare's public naming and reflects additional intelligence that has not been fully published. The multi-year consistency of the actor's infrastructure choices and victim profile points to an organized, funded operation rather than a criminal or hacktivist group. But the possibility that a sophisticated actor is deliberately mimicking SloppyLemming TTPs to achieve deniability — or to implicate India — cannot be fully ruled out on public evidence alone. Arctic Wolf acknowledges this directly.
What would move this to high confidence in the open-source record? Technical evidence directly linking the Workers domains or malware infrastructure to known Indian government IP space or procurement records. Leaked internal communications. A law enforcement action that names individuals. None of those things have appeared publicly. The practical implication: organizations responding to a SloppyLemming intrusion can make an operational assessment consistent with state-sponsored espionage serving Indian collection priorities. They cannot make a definitive attribution that would survive legal or diplomatic scrutiny. That distinction matters enormously when translating threat intelligence into policy decisions.
The Defender Reality in the Targeted Countries
Most threat intelligence reporting on South Asian APT campaigns is written for a Western enterprise security audience. The detection and remediation guidance — deploy WDAC, implement SAC, run SIEM hunting queries, monitor SNI fields in TLS traffic — assumes a baseline of security tooling and operational maturity that is common in large US or European government organizations but considerably less common in the specific institutions SloppyLemming targeted. Understanding what defenders are actually working with matters for evaluating how seriously to take the breach implications.
Pakistan's national cybersecurity posture is improving but uneven. Pakistan established a National Computer Emergency Response Team (NCCERT/PakCERT) and has enacted cybersecurity legislation, but government agencies — particularly in the defense and nuclear regulatory sectors — operate networks of mixed maturity, with a significant legacy infrastructure footprint and inconsistent patching discipline. The Pakistan Nuclear Regulatory Authority and similar entities operate with strong physical security requirements but are not the same as hardened cyber-defense organizations. The specific combination of techniques SloppyLemming used — signed Microsoft binaries, ClickOnce (a trusted Windows delivery mechanism), disguised traffic on port 443 — was calibrated to succeed in environments where endpoint detection is immature and network inspection is limited. This was not accidental target selection.
Bangladesh's civilian critical infrastructure — particularly its power utilities and the central bank — has a documented history of security gaps. The Bangladesh Bank heist of 2016, in which attackers extracted $81 million from the bank's Federal Reserve account via fraudulent SWIFT messages, established a public record of serious security weaknesses in that institution that persisted into the current campaign period. It would be incorrect to assume those weaknesses were fully remediated in the intervening years. The 2016 breach was ultimately attributed to the Lazarus Group, not SloppyLemming, but the same institutional vulnerabilities that allowed that compromise — weak network segmentation, insufficient monitoring, targeted phishing efficacy against government employees — are precisely the conditions SloppyLemming's two attack chains are designed to exploit.
This matters for the "was the access remediated" question. Both of SloppyLemming's attack chains rely on victim interaction rather than unpatched vulnerabilities. BurrowShell requires a user to click a fake download button inside a PDF. The Rust keylogger requires a user to open a macro-enabled Excel file and permit macro execution. These are social engineering chains, not zero-days. They will succeed in any environment where security awareness training has not specifically covered ClickOnce lures and macro-enabled documents from external sources — and they will succeed even in environments where those topics have been covered, because spear-phishing is calibrated to defeat training. The named impersonation of the Pakistan Nuclear Regulatory Authority and Bangladesh Bank in domain names is not decorative. It is the mechanism by which a recipient is made to believe the communication is legitimate. A PNRA employee who receives a document that appears to come from pnra-gov.workers.dev and presents itself as a regulatory filing or policy update faces exactly the social engineering scenario for which no amount of general awareness training provides reliable defense.
The Silence from the Targeted Institutions
One question the vendor reports do not address — and that distinguishes this coverage from every other writeup of this campaign — is the question of official response. Have the Pakistan Nuclear Regulatory Authority, the Pakistan Navy, Bangladesh Bank, or any of the named targeted organizations publicly acknowledged being targeted? The short answer is no. There have been no public statements from PNRA, the National Logistics Corp, Pakistan's Special Communications Organization, the Power Grid Company of Bangladesh, or Bangladesh Bank acknowledging compromise or ongoing investigation related to SloppyLemming activity. That silence is itself informative.
There are several plausible explanations, not mutually exclusive. The first is that the targeted organizations have not detected the intrusions — which, given BurrowShell's evasion design and the defender capability gaps discussed above, is a realistic possibility and not a criticism. The second is that detection occurred but was handled internally without public disclosure — the standard posture for national security-adjacent institutions in Pakistan and Bangladesh, neither of which has a mandatory breach notification regime comparable to US or EU frameworks. The third is that detection occurred, attribution analysis is ongoing, and diplomatic considerations are shaping whether and how to respond publicly — which is how governments typically handle state-sponsored intrusions when naming the suspected sponsor could escalate a situation that just barely avoided kinetic escalation.
Pakistan's National Computer Emergency Response Team (NCCERT/PakCERT) was established precisely to coordinate national cyber incident response, and Bangladesh's BGD e-GOV CIRT performs a similar function. Neither has published any public advisory, indicator, or acknowledgment related to this campaign in the period covered by public reporting. That does not mean they are unaware — internal classified coordination may be occurring. But the gap between detailed public threat intelligence from Western security vendors and any official response from the targeted governments is worth naming explicitly. It reflects a deeper asymmetry in the global threat intelligence ecosystem: the organizations with the resources to research and publish are in the West; the organizations being targeted are in South Asia; and the information does not always flow in the direction most useful for defenders on the ground.
There is also the two-way dimension of regional cyber conflict that the SloppyLemming reporting does not address. India is not only a source of cyber operations in South Asia — it is also a target. During and after the May 2025 conflict, Pakistani threat actors and hacktivist groups launched cyber operations against Indian government websites, energy infrastructure, and financial systems. Pakistan's own state-linked cyber actors, including groups tracked as Transparent Tribe (APT36) and SideCopy, have been running persistent campaigns against Indian military and government targets for years. The India-Pakistan cyber conflict is bidirectional, and characterizing SloppyLemming as an actor in a one-sided espionage narrative misses the broader context: both states are conducting offensive cyber operations against each other, and the distinction between espionage and pre-positioning for effects is not a question India has to answer alone. Pakistan's own cyber operators face the same question about their access to Indian networks.
Western threat intelligence vendors have the research capacity to produce detailed public reports like Arctic Wolf's March 2026 analysis. The organizations actually being targeted — Pakistani nuclear regulators, Bangladeshi power utilities — typically lack equivalent research arms and may first learn of their own compromise through reading a vendor blog post. A structural improvement to the global threat intelligence ecosystem would include direct, confidential pre-publication notification to affected governments through channels like CERT-to-CERT communication. There is no public indication that this occurred in this campaign, and the sources list at the end of this article does not include any statement from affected organizations — because none exists.
Espionage or Pre-Positioning? The Question Nobody Is Asking Out Loud
The article-level conversation about SloppyLemming has focused almost entirely on the intelligence collection dimension: stolen credentials, captured keystrokes, exfiltrated documents. That framing is accurate as far as it goes. But it stops short of the more uncomfortable question that the shift to persistent access and SOCKS proxy tunneling puts directly on the table.
Espionage and offensive cyber operations share early-stage tradecraft. BurrowShell's fifteen-command capability set — file manipulation, screenshot capture, shell execution, network tunneling, persistent registry-based survival — is indistinguishable from a pre-positioned access framework. The same foothold that lets an intelligence collector read communications in real time is the same foothold that lets an operator, if tasked, disrupt or destroy systems. The SOCKS proxy that enables lateral movement for intelligence-gathering purposes equally enables lateral movement for a sabotage operation. These are not two different technical capabilities; they are the same capability applied toward different ends.
This matters in the current context for a specific reason. Pakistan is a nuclear-armed state that, as of May 10, 2025, had just engaged India in its most significant military exchange in decades. Pakistani nuclear signaling was explicit throughout the conflict: Pakistani Defence Minister Khawaja Asif stated in an April 28 Reuters interview that Pakistan would only use nuclear weapons if there was "a direct threat to our existence." Pakistani state media then claimed the National Command Authority convened on May 9 — a claim the Pakistani government's own Defence Minister later denied — but the ambiguity itself was part of the signaling architecture. India's strike on the Nur Khan air base, located near Pakistan's military headquarters and the Strategic Plans Division that oversees Pakistan's nuclear forces, alarmed US officials enough that Secretary of State Marco Rubio initiated emergency phone calls beginning at 4:00 PKT on May 10, with the US administration specifically concerned about nuclear escalation, according to subsequent reporting by Reuters and The New York Times. The ceasefire was brokered in part because that concern became acute. In that environment, persistent access to Pakistan's nuclear regulator is not just an intelligence collection achievement. It is potentially a strategic asset of an entirely different order, depending on what instructions an operator receives if the political situation deteriorates past a ceasefire line.
The available evidence indicates this campaign's purpose was intelligence collection. Arctic Wolf characterizes it as cyber espionage. There is no evidence of destructive payloads or operational interference. But the question of whether the persistent access established during this campaign could be repurposed — and whether any of that access survived into the post-report period — is a legitimate policy question that the technical reporting does not and cannot answer. Defenders and policymakers at the targeted organizations should be asking it explicitly.
The Structural Fix Cloudflare Has Not Made
The Cloudflare Workers abuse problem is not unique to SloppyLemming. According to data published by cybersecurity firm Fortra in late 2024, phishing attacks abusing Workers had increased by 104% year-over-year, climbing from roughly 2,400 incidents in 2023 to nearly 5,000 incidents in 2024. Cloudflare's own 2026 Threat Report, published on March 3, 2026, acknowledged an accelerating pattern of nation-state actors shifting from "mere infrastructure abuse toward pervasive living-off-the-land" via cloud platforms — a tactic Cloudflare's Cloudforce One team labels "Living off the XaaS," or LotX. SloppyLemming is one of the documented practitioners of this approach, but the 2026 report identifies Chinese-affiliated groups using Google Calendar event descriptions to pass encrypted commands to infected hosts, and Iranian-linked groups hosting C2 pages on Azure Web Apps. The problem is structural and industry-wide.
What makes Cloudflare Workers specifically attractive is a combination of features that no individual fix addresses cleanly. Free subdomain creation at volume with no meaningful friction for domain registration. Naming flexibility that enables precise impersonation of government institutions. Traffic that blends into enterprise network baselines because many organizations have legitimate Workers dependencies. HTTPS by default. Global CDN resilience. For SloppyLemming specifically, the ability to register 112 domains naming the Pakistan Nuclear Regulatory Authority, Pakistan Navy, Bangladesh Bank, and Dhaka Electric Supply Company — for free, without verification, within minutes — is a consequence of deliberate product design choices, not an edge case Cloudflare failed to anticipate.
The question worth asking directly: what structural changes could Cloudflare make? Blanket blocking of *.workers.dev is not a realistic option. But several targeted interventions are technically feasible and have not been publicly implemented. First, rate-limiting or verification requirements for subdomain registrations that closely match known government and critical infrastructure entity names — the same kind of brand protection already practiced on traditional domain registrars. Second, proactive notification to named organizations when a Workers subdomain impersonating them is registered. Third, a structured threat intelligence sharing arrangement with the governments whose institutions are being impersonated at scale — the Pakistani government, the Bangladesh central bank — so they can at minimum know when their names are appearing on attacker infrastructure. None of these eliminate the abuse vector. All of them meaningfully reduce the attacker's operational advantage.
Cloudflare Cloudforce One published the original SloppyLemming report in September 2024. The company documented the abuse in detail, named the actor, and identified 13 Workers domains. Thirteen months later, Arctic Wolf documented 112 more. The public record contains no indication of meaningful structural changes to how Workers subdomains are provisioned or monitored between those two events. That is not a judgment about Cloudflare's good faith — it is an observation about the gap between publishing threat intelligence and implementing platform-level changes that would constrain the actor the intelligence describes.
The good news, if there is any, is that both of SloppyLemming's attack chains depend on victim action. The PDF chain requires clicking a fake download button. The Excel chain requires opening a macro-enabled document from an external source (and the macro itself may attempt to lower the host's security settings to reduce friction). Neither exploits an unpatched vulnerability — both exploit human behavior and weak security controls. That means defenders have actionable options.
Both chains map cleanly to documented MITRE ATT&CK techniques:
| Technique ID | Name | How SloppyLemming Uses It |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Both chains initiated via targeted phishing emails with PDF or Excel attachments tailored to government / infrastructure targets |
| T1574.002 | DLL Side-Loading | NGenTask.exe loads mscorsvc.dll (Chain 1); phoneactivate.exe loads sppc.dll (Chain 2) — both legitimate signed binaries loading malicious DLLs from working directory |
| T1056.001 | Keylogging | Rust-based keylogger captures keystrokes, deployed via Chain 2 |
| T1090 | Proxy | BurrowShell SOCKS proxy capability enables lateral movement through compromised networks using infected host as relay |
| T1547.001 | Registry Run Keys / Startup Folder | BurrowShell writes persistence entry under HKCU\...\Run pointing to renamed NGenTask.exe (OneDrive.exe) |
| T1036 | Masquerading | NGenTask.exe renamed OneDrive.exe; BurrowShell C2 traffic mimics Windows Update; code references "OneCollector" to mimic Microsoft telemetry naming |
| T1583.006 | Acquire Infrastructure: Web Services | 112 Cloudflare Workers domains registered for payload delivery and C2 routing, named to impersonate real government organizations |
On the email and document side, organizations should block or heavily scrutinize PDFs containing embedded URLs pointing to *.workers.dev domains. Macro execution in Office documents received from external sources should be disabled by policy unless there is an explicit, reviewed business need. The second infection chain dies entirely if macros are off.
On the endpoint side, detection rules should flag NGenTask.exe and phoneactivate.exe loading DLLs from non-standard directory paths. These are legitimate Microsoft binaries with well-known behaviors — any deviation from their expected DLL load order is suspicious. Unexpected entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run (the registry persistence location SloppyLemming used) should trigger alerts.
On the network side, monitoring outbound connections to *.workers.dev domains is increasingly worthwhile. This is not about blocking Cloudflare — it is about inspecting traffic to Workers subdomains that match government or critical infrastructure naming patterns, or that were registered recently.
SSL/TLS inspection deserves a more specific explanation than "inspect HTTPS traffic." BurrowShell disguises its C2 as Windows Update traffic over port 443. The tell is a mismatch between what the traffic claims to be and what it actually is. Genuine Windows Update traffic uses Microsoft's own certificate infrastructure — the TLS handshake will present certificates issued to domains like windowsupdate.microsoft.com or update.microsoft.com, with certificates signed by Microsoft IT TLS CA or similar Microsoft-operated intermediaries. BurrowShell's C2, operating through Cloudflare Workers, will present a Cloudflare-issued certificate. The Server Name Indication (SNI) field in the TLS ClientHello may also betray the actual destination — a *.workers.dev subdomain — before the encrypted session is established, making this detectable even without full TLS decryption if your network monitoring captures SNI values. Any session where the traffic behavioral pattern resembles Windows Update cadence but the TLS certificate or SNI does not match Microsoft's actual certificate infrastructure is worth immediate investigation.
# Endpoint detection: flag these binaries loading DLLs from non-standard paths
# NGenTask.exe loading any DLL NOT from %SystemRoot%\Microsoft.NET\Framework*
# phoneactivate.exe loading any DLL NOT from %SystemRoot%\System32\
# Network: watch for outbound HTTPS to *.workers.dev matching
# government or telecom naming patterns
# Registry: monitor for new Run keys created by .NET or phone activation processes
# HKCU\Software\Microsoft\Windows\CurrentVersion\RunArctic Wolf has published YARA rules specifically tuned for BurrowShell and the Rust keylogger implants. Organizations with threat hunting capability should deploy those against memory captures and endpoint telemetry. The full technical report and indicators of compromise are available directly from Arctic Wolf's blog.
For organizations seeking a more structural defense rather than reactive detection, Windows Defender Application Control (WDAC) and Smart App Control (SAC) policies deserve serious consideration. Because both SloppyLemming attack chains depend on executing unsigned DLLs loaded by legitimate signed binaries, an application control policy that enforces signature verification on DLL loads — or that restricts which directories signed Microsoft binaries can load DLLs from — would break both chains at the execution stage, before any malware reaches memory. This is not a trivial deployment, particularly in complex government network environments with legacy software dependencies, but it represents the closest thing to a structural countermeasure against this specific class of DLL sideloading abuse.
On the Workers domain monitoring front, organizations in Pakistani and Bangladeshi government and critical infrastructure sectors should consider asking their threat intelligence providers to build ongoing watch lists of newly registered *.workers.dev subdomains that match their organization names or the names of peer institutions. The naming patterns SloppyLemming uses are consistent and predictable: government agency names, telecom provider names, financial institution names, always in a *.workers.dev format.
Certificate Transparency (CT) monitoring is worth explaining specifically because it is underused. When any HTTPS certificate is issued — including those Cloudflare automatically provisions for Workers subdomains — a record is logged in publicly accessible CT logs operated by entities like Google (crt.sh aggregates these). Organizations can query these logs programmatically for certificate entries containing their name or known peer institutions. A Workers subdomain impersonating the Pakistan Nuclear Regulatory Authority would generate a CT log entry containing "pnra" or "nuclear" well before any phishing email is sent. Tools like Cert Spotter, Certstream, or direct queries to crt.sh can automate this monitoring. Setting up alerts for newly logged certificates matching a watchlist of organization name strings — especially those on *.workers.dev — would provide genuine advance warning of infrastructure buildout targeting your sector. This is not a theoretical capability; it is a free, publicly available data feed that threat intelligence teams are simply not consuming systematically for this use case.
Key Takeaways
- The July 2025 surge had a geopolitical trigger: 42 new infrastructure domains registered in the month after India-Pakistan reached a ceasefire following Operation Sindoor is not a coincidence. State cyber espionage operations intensify after kinetic events because governments need better intelligence on adversaries they just shot at. The campaign's timing makes strategic sense when read against the regional political calendar.
- The shift from credentials to persistence is the most significant finding: SloppyLemming moved from stealing passwords to installing long-term backdoors. That is a change in tasking, not just tooling. Persistent access to nuclear regulatory networks and naval commands provides continuous intelligence rather than a one-time snapshot — and potentially pre-positioned access that could serve a different purpose if the political situation deteriorated further.
- SloppyLemming is a maturing actor: The shift from borrowed frameworks (Cobalt Strike, Havoc, Ares RAT, WarHawk) to custom Rust tooling indicates growing in-house development capacity. Future campaigns will be harder to detect and attribute than what has been documented so far.
- The OPSEC failures are a gift that keeps giving: Open directories, exposed staging servers, and predictable infrastructure naming patterns have allowed researchers to track this actor across multiple campaigns. Those failures should not be confused with low capability — they coexist with technically sophisticated malware and careful target selection. The group is operationally careless and tactically capable at the same time.
- Three-plus years of Cloudflare Workers abuse with no structural fix: The same platform, the same naming patterns, the same technique — scaled eightfold. Between the 13 domains Cloudflare documented in September 2024 and the 112 Arctic Wolf documented a year later, the infrastructure expanded with no visible platform-level friction. Blanket blocking is not a realistic option. But targeted interventions — brand-match subdomain scrutiny, proactive notification to impersonated institutions, Certificate Transparency monitoring — are feasible and have not been implemented. The gap between publishing threat intelligence and acting on it structurally is visible in the public record.
- The pre-positioning question should be asked explicitly: Persistent backdoor access to Pakistani nuclear regulatory networks and naval commands, established during a period of active military conflict between nuclear-armed states, is not simply an intelligence collection achievement. It is potentially a strategic asset of a different order. India's strikes near Pakistan's Strategic Plans Division headquarters alarmed the United States enough to trigger emergency diplomatic intervention. The same access that serves intelligence collection could serve a different purpose in a scenario where a ceasefire collapses. The evidence indicates espionage, not sabotage. But the same access that serves the former could serve the latter. Defenders and policymakers at the targeted organizations should be asking whether that access has been fully remediated — not just whether it was detected.
- The Bangladesh targeting had two geopolitical drivers, not one: The July 2025 infrastructure surge followed Operation Sindoor. But the Bangladesh-specific targeting had been building since August 2024, when Sheikh Hasina fled to India and the Awami League era ended. The full eighteen-month arc of the Bangladesh targeting tracks Bangladesh's diplomatic trajectory — from India ally to active alignment with China and Pakistan — far more precisely than any single event. Intelligence operations lag political events, but they track them.
- BurrowShell's anti-sandbox check is a detection pipeline problem, not just a malware feature: Before executing any payload, the loader validates that the parent process is running from an approved directory. If it is not — as is common in automated sandbox analysis environments — the loader exits cleanly and produces no observable malicious behavior. Organizations and vendors whose detection pipelines rely heavily on automated sandboxing to classify new samples will receive false-negative results for this specific loader. Defenders whose sandbox environments do not account for path-based execution checks are carrying a blind spot in their detection tooling for exactly this class of implant.
- The "moderate confidence" attribution survives tool borrowing: SloppyLemming uses tools associated with other actors, including a suspected Pakistan-origin group. This complicates tool-based attribution. But it does not undermine victimology-based attribution. Three years of consistent, specific targeting of Pakistani nuclear oversight, naval operations, and Bangladeshi institutions during India-Bangladesh diplomatic crises is not replicable by a copycat without matching India's actual intelligence collection priorities. The tools are borrowable. The target selection logic is not.
- The defender capability gap in targeted countries is part of the story: SloppyLemming's two attack chains — ClickOnce lures, macro-enabled documents, signed Microsoft binaries, port 443 C2 traffic — are calibrated for environments where endpoint detection is limited and security awareness training is generic rather than targeted. The Bangladesh Bank's publicly documented 2016 breach by the Lazarus Group established that major gaps existed in that institution. The specific institutions on SloppyLemming's target list were not chosen randomly. The gap between the standard Western enterprise remediation guidance and the actual security baseline of the organizations being targeted deserves more attention than it typically receives in vendor threat intelligence reports.
- The open-source attribution case is strong but not conclusive: Organizations can use it to inform operational decisions and risk assessments. They cannot use it alone to publicly name a state sponsor or justify retaliatory measures. That distinction matters when intelligence becomes policy.
- The targeted institutions' silence is itself a data point: No public acknowledgment from PNRA, Pakistan Navy, Bangladesh Bank, or PGCB has appeared in any public record. Whether that silence reflects non-detection, internal handling, or diplomatic calculation is unknown — but the absence of any official response from the governments whose most sensitive institutions were compromised is a structural feature of how South Asian cyber incidents are handled, not an accident. It also reflects a deeper asymmetry: Western vendors publish detailed breach analysis; South Asian defenders often learn of their own compromises by reading those publications.
- The two-way dimension matters: SloppyLemming operates in a bilateral cyber conflict, not a one-sided espionage environment. Pakistan-linked actors including Transparent Tribe and SideCopy have been running persistent campaigns against Indian targets throughout the same period. The pre-positioning question is not unique to India's operations — it is a question both states should be asking about each other's access to nuclear-adjacent networks. Framing only one side of a bilateral cyber conflict as the aggressor misrepresents the strategic landscape.
- The target list defines the intelligence mission: Nuclear regulators, naval commands, telecom infrastructure, power grids, central banks, Sri Lankan defense entities, Bangladeshi media. Everything on this list represents intelligence collection against a Pakistan that just fought a shooting war and a Bangladesh that was drifting away from India's orbit. The access they built was not accidental, and it was not random.
SloppyLemming has been running variations of this playbook for over three years. The name was meant to be mocking — a nod to the operational sloppiness that kept giving researchers a window into the group's methods. But the campaign documented here ran for twelve uninterrupted months across some of the most sensitive institutions in South Asia, through a period of military conflict between nuclear-armed states, a Bangladesh political collapse that reshuffled regional alignments, and a diplomatic realignment that gave every intelligence collection priority a sharper edge.
The open directories and predictable naming patterns are real failures. They are also, in a sense, beside the point. The actor built persistent access to Pakistan's nuclear regulator and Bangladesh's power grid for a year. They developed custom tooling in Rust. They scaled their infrastructure eightfold. They tracked the geopolitical calendar and responded to it. The sloppiness coexists with the capability. The question that remains unanswered — whether the access established during this campaign was fully remediated, or whether some of it persists — is not a question any public threat intelligence report can answer. It is the question the affected organizations need to be asking internally, right now.
Sources: Arctic Wolf Labs (March 2026), Cloudflare Cloudforce One (September 2024), Cloudflare 2026 Threat Report, The Hacker News (March 2026), The Hacker News — Cloudflare SloppyLemming Coverage (September 2024), Industrial Cyber (March 2026), The Record / Recorded Future News (March 2026), Trellix / The Hacker News SideWinder Report (October 2025), Bleeping Computer — Fortra Cloudflare Abuse Report (December 2024), 2025 India–Pakistan Conflict (Wikipedia), Arms Control Association — Ceasefire Analysis (June 2025), The Diplomat — Bangladesh-India Relations (December 2025), International Crisis Group — Bangladesh-India Reset (December 2025), Congressional Research Service — 2025 India-Pakistan Conflict