HQ/EMEAFind out how we can help your business
A new advanced threat actor, identified as SloppyLemming, has been targeting entities across South and East Asia using a combination of cloud service providers to execute a range of cyberattacks. This group, also known by the names Outrider Tiger and Fishing Elephant, has been involved in credential harvesting, malware delivery, and command-and-control (C2) operations.
SloppyLemming has been active since at least July 2021, and its activity has been linked to past campaigns that deployed malware, such as Ares RAT and WarHawk. These malware strains have previously been connected to well-known hacking groups, including SideWinder and SideCopy. The latter, reportedly of Pakistani origin, has also been involved in espionage campaigns in the region.
SloppyLemming focuses on targeting government, law enforcement, energy, telecommunications, and technology sectors.
Their operations have spanned several countries, including Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. These attacks often begin with spear-phishing emails that are designed to trick recipients into clicking malicious links by creating a false sense of urgency. Once the link is clicked, the victim is directed to a credential harvesting page that enables the attackers to gain unauthorised access to sensitive email accounts within targeted organisations.
One of the tools in SloppyLemming’s arsenal is a custom-built application called CloudPhish, which allows the group to create malicious Cloudflare Workers. These workers facilitate the logging and exfiltration of credentials, further enhancing the group’s ability to compromise its targets.
In some cases, SloppyLemming has employed more sophisticated techniques, such as capturing Google OAuth tokens and using malicious RAR archives to exploit vulnerabilities like CVE-2023-38831. These archives, often disguised with names like “CamScanner,” can remotely execute code, delivering trojans hosted on cloud storage platforms like Dropbox.
A separate infection chain involves spear-phishing emails that lead targets to fake websites impersonating the Punjab Information Technology Board in Pakistan. Once redirected, victims may unknowingly download malicious files, which sideload rogue DLLs designed to communicate with the attacker’s C2 infrastructure.
Recent evidence indicates that SloppyLemming has specifically targeted Pakistani law enforcement, military entities in Sri Lanka and Bangladesh, and, to a lesser extent, Chinese academic and energy sectors. Moreover, the group has attempted to infiltrate organisations involved in the maintenance of Pakistan’s nuclear power facility.
Through the use of cloud service providers like Cloudflare Workers, SloppyLemming has been able to carry out these attacks with a high level of sophistication, posing a serious threat to national security in the affected regions.
