SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
Summary
Hide ▲
Show ▼
The SloppyLemming campaign is using spear-phishing, PDF lures, and macro-enabled Excel documents to target government entities and critical infrastructure operators in Pakistan and Bangladesh, raising the risk of espionage and credential theft. The operation ran from January 2025 to January 2026 and split into two infection chains that delivered BurrowShell and a Rust-based keylogger. Its infrastructure and tooling show continued evolution, including DLL side-loading, ClickOnce staging, and 112 Cloudflare Workers domains tied to the operation.
Related Happenings
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
CampaignAbout this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
First: 07.05.2026 16:15
Last: 07.05.2026 16:15
Sources 1
About this happening:
The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware ActivityAbout this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Timeline
-
03.03.2026 08:53 2 articles · 2mo ago
SloppyLemming campaign disclosure
Initial DisclosureArctic Wolf attributed SloppyLemming to a one-year campaign against government entities and critical infrastructure operators in Pakistan and Bangladesh, describing spear-phishing emails that delivered PDF lures and macro-enabled Excel documents, ClickOnce staging that deployed NGenTask.exe and mscorsvc.dll, DLL side-loading of BurrowShell, a Rust-based keylogger, and 112 Cloudflare Workers domains tied to the infrastructure.
Show sources
- SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains — thehackernews.com — 03.03.2026 08:53
- Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure — www.darkreading.com — 04.03.2026 00:24