SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
Summary
Hide ▲
Show ▼
SloppyLemming deployed BurrowShell and a Rust-based keylogger through two attack chains, expanding its malware toolkit for backdoor access, credential theft, and reconnaissance against targeted systems in Pakistan and Bangladesh. The activity ran from January 2025 to January 2026 and used spear-phishing with PDF lures and macro-enabled Excel documents to start the infection chains. The malware and delivery flow show a shift toward Rust-based tooling and layered staging.
Related Happenings
ScarCruft NarwhalRAT spear-phishing malware activity
Malware Activity
H score23
First: 16.06.2026 11:14
Last: 16.06.2026 11:14
Sources 1
About this happening:
**ScarCruft (APT37)** is using **spear-phishing emails** that impersonate **Microsoft Account security alerts** to deliver **NarwhalRAT**, creating a **multi-stage malware** threa...
ScarCruft NarwhalRAT spear-phishing malware activity
Malware ActivityAbout this happening: **ScarCruft (APT37)** is using **spear-phishing emails** that impersonate **Microsoft Account security alerts** to deliver **NarwhalRAT**, creating a **multi-stage malware** threa...
Operation Dragon Weave cyber-espionage campaign
Campaign
H score37
First: 01.06.2026 14:54
Last: 01.06.2026 14:54
Sources 1
About this happening:
The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...
Operation Dragon Weave cyber-espionage campaign
CampaignAbout this happening: The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
H score23
First: 07.05.2026 16:15
Last: 07.05.2026 16:15
Sources 1
About this happening:
The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware ActivityAbout this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Timeline
-
03.03.2026 08:53 2 articles · 4mo ago
SloppyLemming dual-chain malware activity in Pakistan and Bangladesh
Initial DisclosureArctic Wolf attributed SloppyLemming to attacks on government entities and critical infrastructure operators in Pakistan and Bangladesh, describing two attack chains that used spear-phishing PDF lures and macro-enabled Excel documents to deliver BurrowShell and a Rust-based keylogger. The delivery flow used ClickOnce application manifests, NGenTask.exe, and mscorsvc.dll for DLL side-loading, while BurrowShell provided file system manipulation, screenshot capture, remote shell execution, and SOCKS proxy tunneling with RC4-encrypted command-and-control traffic that mimicked Windows Update service communications. Investigators also identified 112 Cloudflare Workers domains registered during the one-year period, reflecting a larger infrastructure footprint tied to the campaign.
Show sources
- SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains — thehackernews.com — 03.03.2026 08:53
- Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure — www.darkreading.com — 04.03.2026 00:24