The line between useful files and viruses has become almost indistinguishable.
Over the past year, the number of espionage attacks on government agencies and critical infrastructure operators in South Asia has increased significantly. The Arctic Wolf team described a campaign that they attribute with moderate certainty to the SloppyLemming group, also known as Outrider Tiger and Fishing Elephant. The targets were organizations in Pakistan and Bangladesh, and the report's authors estimate that the operation itself lasted from at least January 2025 to January 2026, with an expansion of infrastructure and tools.
The campaign utilized two different infection chains. The first began with phishing emails containing a PDF decoy. The document prompted the victim to click a link that led to a ClickOnce manifest. Next, a set of DLL sideloading files was downloaded to the device : the legitimate Microsoft .NET Framework executable NGenTask.exe, disguised as OneDrive.exe, and the malicious mscorsvc.dll library. The downloader decrypted the encrypted data block using an RC4 key and launched the x64 BurrowShell implant in memory.
BurrowShell operated as a fully-fledged backdoor platform . The implant supported file manipulation, screenshots, remote command execution, and traffic tunneling through a SOCKS proxy. Communication with the control infrastructure was disguised as Windows Update service requests, and the payload was protected with symmetric encryption.
The second chain used Excel files with macros . The macro downloaded components to the ProgramData directory and launched the legitimate phoneactivate.exe, renamed to audiodg.exe, which downloaded a nearby malicious DLL. The main payload was a remote access Trojan with a keylogger, written in Rust. In addition to intercepting keystrokes, the module performed network reconnaissance, including port scanning and host discovery, and supported file manipulation commands and process launches.
Arctic Wolf paid special attention to the infrastructure. During the period under review, 112 domains were found on Cloudflare Workers impersonating government and industry organizations in Pakistan and Bangladesh. Registrations peaked in July 2025, when 42 domains appeared. Three nodes were configured as public directories, exposing prepared malware components, including Havoc framework loaders with various RC4 keys.
According to the report, the targeting follows the logic of cyberespionage . In Pakistan, interest was shown in defense, telecom, and nuclear regulatory structures, while in Bangladesh, it was in the energy and financial sectors. The authors also examined overlaps with SideWinder tactics, but noted differences in the tools and infrastructure features.
Over the past year, the number of espionage attacks on government agencies and critical infrastructure operators in South Asia has increased significantly. The Arctic Wolf team described a campaign that they attribute with moderate certainty to the SloppyLemming group, also known as Outrider Tiger and Fishing Elephant. The targets were organizations in Pakistan and Bangladesh, and the report's authors estimate that the operation itself lasted from at least January 2025 to January 2026, with an expansion of infrastructure and tools.
The campaign utilized two different infection chains. The first began with phishing emails containing a PDF decoy. The document prompted the victim to click a link that led to a ClickOnce manifest. Next, a set of DLL sideloading files was downloaded to the device : the legitimate Microsoft .NET Framework executable NGenTask.exe, disguised as OneDrive.exe, and the malicious mscorsvc.dll library. The downloader decrypted the encrypted data block using an RC4 key and launched the x64 BurrowShell implant in memory.
BurrowShell operated as a fully-fledged backdoor platform . The implant supported file manipulation, screenshots, remote command execution, and traffic tunneling through a SOCKS proxy. Communication with the control infrastructure was disguised as Windows Update service requests, and the payload was protected with symmetric encryption.
The second chain used Excel files with macros . The macro downloaded components to the ProgramData directory and launched the legitimate phoneactivate.exe, renamed to audiodg.exe, which downloaded a nearby malicious DLL. The main payload was a remote access Trojan with a keylogger, written in Rust. In addition to intercepting keystrokes, the module performed network reconnaissance, including port scanning and host discovery, and supported file manipulation commands and process launches.
Arctic Wolf paid special attention to the infrastructure. During the period under review, 112 domains were found on Cloudflare Workers impersonating government and industry organizations in Pakistan and Bangladesh. Registrations peaked in July 2025, when 42 domains appeared. Three nodes were configured as public directories, exposing prepared malware components, including Havoc framework loaders with various RC4 keys.
According to the report, the targeting follows the logic of cyberespionage . In Pakistan, interest was shown in defense, telecom, and nuclear regulatory structures, while in Bangladesh, it was in the energy and financial sectors. The authors also examined overlaps with SideWinder tactics, but noted differences in the tools and infrastructure features.
