India-aligned clusters show shared resourcing and coordinated tasking
Threat Actor Meta
Summary
Hide ▲
Show ▼
Researchers identified shared resourcing and coordinated tasking across some India-aligned clusters, suggesting a more connected regional threat-actor ecosystem. The overlap involves Sloppy Lemming, TA397, TA399, and TA395, with shared lure themes, compromised accounts, and repeated targeting patterns. That matters because coordination can let separate teams reuse access and infrastructure while making attribution harder. Even if the groups remain distinct, the evidence points to a more organized operating model across the region.
Related Happenings
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaAbout this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
Silver Dragon assessed within the APT41 umbrella
Threat Actor Meta
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
**Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
Silver Dragon assessed within the APT41 umbrella
Threat Actor MetaAbout this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
How related:
The India-linked advanced persistent threat (APT) "Sloppy Lemming" has significantly increased its operational tempo over the past year, adopting more sophisticated tactics to target nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian targets.
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignHow related: The India-linked advanced persistent threat (APT) "Sloppy Lemming" has significantly increased its operational tempo over the past year, adopting more sophisticated tactics to target nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian targets.
About this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
How related:
Sloppy Lemming, which is also connected to groups identified by other threat researchers as Outrider Tiger and Fishing Elephant, uses two attack chains: one uses a PDF lure to redirect victims to an attack; and the other uses macro-enabled Excel documents to deliver a Rust-based keylogger, Arctic Wolf stated.
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityHow related: Sloppy Lemming, which is also connected to groups identified by other threat researchers as Outrider Tiger and Fishing Elephant, uses two attack chains: one uses a PDF lure to redirect victims to an attack; and the other uses macro-enabled Excel documents to deliver a Rust-based keylogger, Arctic Wolf stated.
About this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
Campaign
First: 28.01.2026 18:19
Last: 28.01.2026 18:19
Sources 1
About this happening:
Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
CampaignAbout this happening: Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Timeline
-
04.03.2026 00:24 2 articles · 2mo ago
India-aligned clusters show shared resourcing and coordinated tasking
Campaign Scope UpdateResearchers assessing India-aligned threat activity said Sloppy Lemming overlaps with TA397, TA399, and TA395 through shared lure themes, compromised accounts, and repeated targeting of the same individuals, indicating shared resourcing and/or coordinated tasking across distinct clusters. The assessment also links Sloppy Lemming with Outrider Tiger and Fishing Elephant, while noting that some India-nexus groups such as Dropping Elephant and Mysterious Elephant do not overlap with Sloppy Lemming.
Show sources
- Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure — www.darkreading.com — 04.03.2026 00:24
- Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure — www.darkreading.com — 04.03.2026 00:24