ISLAMABAD: A sophisticated cyber espionage campaign attributed to an India-linked threat actor targeted critical government and infrastructure entities in Pakistan, Bangladesh and Sri Lanka throughout 2025, according to detailed findings released by cybersecurity firm Arctic Wolf.

The campaign, spanning from January 2025 to January 2026, marked a significant expansion of earlier operations first documented by Cloudflare in September 2024. Researchers at Arctic Wolf designated the actor as SloppyLemming, also known by aliases such as Outrider Tiger and Fishing Elephant in reports from CrowdStrike and other firms.

This threat actor has demonstrated alignment with Indian government interests since at least 2021, focusing on espionage against regional neighbours. The latest wave primarily hit Pakistani and Bangladeshi targets, with evidence of broader activity extending to Sri Lanka.

Victims in Pakistan included high-profile organisations such as the Pakistan Nuclear Regulatory Authority, defence logistics bodies like the National Logistics Corporation, the Pakistan Navy, and major telecommunications providers including the Special Communications Organization and Pakistan Telecommunication Company Limited. Energy sector players such as DESCON were also compromised.

In Bangladesh, the attacks focused on energy utilities like the Power Grid Company of Bangladesh and financial institutions. One malicious email impersonated a Bangladeshi financial entity to lure victims.

The campaign employed two primary infection vectors. The first involved spearphishing emails delivering malicious PDF files embedding BurrowShell, a backdoor malware capable of capturing screenshots, manipulating file systems, establishing persistence, and performing network reconnaissance.

The second method used weaponised Excel documents to deploy a Rust-based remote access trojan equipped with keylogging functionality and additional data exfiltration tools. These payloads allowed attackers to monitor keystrokes, scan networks, and maintain long-term access.

Social engineering formed the entry point in most cases. Victims opening the attachments encountered blurred document content overlaid with a deceptive message stating “PDF reader is disabled.” This prompted users to enable content or execute further steps, granting initial foothold to the attackers.

Attack infrastructure relied heavily on 112 Cloudflare-registered domains created during 2025. These domains featured themes mimicking Pakistani and Bangladeshi government entities to enhance credibility and trick targets into engagement.

Researchers described SloppyLemming as possessing moderate technical capabilities. Multi-stage execution chains indicated knowledge of Windows internals and defence evasion tactics. However, operational security lapses, including exposed open directories hosting malware, revealed inconsistencies in tradecraft.

Such shortcomings justified the “Sloppy” prefix in the group’s name, highlighting historically uneven security practices compared to more disciplined state-sponsored actors.

Overlaps existed with prior disclosures. Arctic Wolf findings aligned with Trellix reports from October 2025, while building directly on Cloudflare’s 2024 analysis of SloppyLemming operations. Cloudflare had noted the group’s use of Cloudflare Workers for command-and-control, credential harvesting, and malware staging since late 2022.

Broader targeting patterns from earlier phases included entities in Nepal, Indonesia, and China, with emphasis on government, law enforcement, energy, telecommunications, and technology sectors. Pakistan remained the primary focus throughout.

The persistence of these attacks underscores ongoing cyber tensions in South Asia. Critical infrastructure and nuclear-related bodies emerged as strategic priorities, reflecting geopolitical motivations behind the espionage.

Experts emphasise that such campaigns exploit trusted communication channels and legitimate cloud services to bypass traditional defences. Organisations in the region face heightened risks from similar India-nexus actors employing commodity tools alongside custom malware.

Defensive measures recommended include rigorous email filtering, user awareness training on phishing lures, endpoint detection for anomalous behaviours, and monitoring of unusual domain interactions. Regular patching and network segmentation further reduce exposure to backdoors like BurrowShell.

The revelation adds to mounting evidence of sustained cyber espionage in the subcontinent. As regional rivalries persist, state-aligned actors continue leveraging digital means to gather intelligence on sensitive sectors.

Arctic Wolf’s assessment positions SloppyLemming as a persistent threat requiring vigilant monitoring. Future expansions could incorporate evolving tools or infrastructure to address past operational flaws.