An alleged India-linked cyber-espionage campaign targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka over the past year, according to researchers at cybersecurity firm Arctic Wolf.
Arctic Wolf attributed the activity to an India-nexus threat actor it tracks as SloppyLemming (aka Outrider Tiger and Fishing Elephant). The operation ran from January 2025 for roughly a year and used two attack methods. One of them involved a malicious PDF containing malware known as BurrowShell, a backdoor capable of taking screenshots, system manipulation, remote shell execution, and operating as SOCKS proxy. Another method leveraged an Excel document with malware capable of keylogging and reconnaissance.
“The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT,” the researchers note in the report.
The attackers allegedly used 112 domains registered through Cloudflare in 2025 to host and stage malware. Many of the domains were crafted with Pakistani and Bangladeshi government-themed names to trick targets into believing the files were legitimate.
The campaign focused on Pakistani nuclear regulatory and defense logistics bodies, including the Pakistan Nuclear Regulatory Authority, as well as telecommunications providers such as the Pakistan Telecommunication Company and the Special Communications Organization. Other targets included the Pakistan Navy and the National Logistics Corporation.
In Bangladesh, energy and financial entities were targeted, including the Power Grid Company of Bangladesh. At least one phishing email impersonated a Bangladeshi financial institution to lure victims into opening malicious attachments.
According to Arctic Wolf, SloppyLemming has been active since at least 2021. Campaigns typically begin with spearphishing emails containing infected documents. When opened, the files display blurred content and a message claiming a “PDF reader is disabled,” prompting users to take additional steps that ultimately grant attackers access.
Cloudflare has previously reported that SloppyLemming activity began in late 2022, initially focusing on Pakistan before expanding to Sri Lanka, Nepal, Bangladesh, Indonesia and China. While Cloudflare did not directly attribute the campaign to India, it noted similarities to a threat actor tracked by incident response firm CrowdStrike as “Outrider Tiger,” described as an India-nexus intrusion adversary believed to support Indian state intelligence collection efforts.