SloppyLemming: Dissecting the Dual Malware Assault on South Asian Governments

Date: March 2026
Author: Security Arsenal Research Team

In the rapidly evolving landscape of cyber espionage, attribution is often the first casualty of complexity. However, recent findings by Arctic Wolf have illuminated a distinct threat activity cluster, dubbed SloppyLemming, which has been systematically targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. Active from January 2025 through January 2026, this campaign demonstrates a sophisticated dual-malware strategy designed to maintain persistence and evade detection.

At Security Arsenal, we believe that understanding the mechanics of such campaigns is vital for organizations outside the immediate blast radius. The tactics employed by SloppyLemming—specifically the use of a Rust-based payload alongside the BurrowShell malware—represent a growing trend in the commoditization of advanced malware.

Analysis: Dual Attack Chains and Evolving TTPs

The SloppyLemming operation is not a "smash and grab" attempt but a calculated intrusion. The threat actors utilize two separate attack chains, likely attempting redundancy: if one vector is patched or detected, the other remains viable.

1. BurrowShell: The Persistent Insider

While public technical details on BurrowShell are still emerging, the nomenclature suggests a webshell or a tunneling utility designed for deep system burrowing. In these types of campaigns, the initial compromise often involves exploiting web-facing vulnerabilities or phishing. Once a foothold is established, BurrowShell likely facilitates:

• Remote Access: Providing the attackers with a command-line interface on the victim's server.
• Lateral Movement: Acting as a bridge to move laterally through the network towards high-value targets.
• Defense Evasion: Utilizing encryption or obfuscation to blend in with legitimate administrative traffic.

2. The Rust-Based Payload: Modernizing the Toolkit

Perhaps the most alarming aspect of this campaign is the deployment of a Rust-based malware variant. The cybersecurity community has observed a significant shift toward Rust and Go for malware development, moving away from traditional C/C++. Why? Because Rust offers:

• Cross-Platform Capabilities: Easier compilation for Windows, Linux, and macOS from a single codebase.
• Memory Safety: Reduces crashes, making the malware more stable and reliable for the operator.
• Analysis Resistance: The complexity of Rust binaries makes static analysis and reverse engineering significantly more difficult for incident responders.

The Strategic Targeting

By focusing on Pakistan and Bangladesh, SloppyLemming aligns with broader geopolitical trends where state-sponsored or aligned actors target critical infrastructure to gather intelligence or establish pre-positioning for future kinetic or digital conflicts. The timeline (spanning a full year) indicates patience and a focus on "quiet" persistence rather than immediate disruption.

Detection and Threat Hunting

Detecting SloppyLemming requires a shift from signature-based detection to behavioral analysis. Organizations should hunt for the anomalies associated with webshell activity and the execution of unsigned, unfamiliar binaries.

Hunt for Suspicious Webshells (PowerShell)

This script scans common web directories for files recently modified that contain obfuscated code patterns typical of webshells like BurrowShell.

# Hunt for recently modified files with obfuscated content in web roots
$WebRoots = @("C:\inetpub\wwwroot", "C:\xampp\htdocs")
$DateCutoff = (Get-Date).AddDays(-7)

foreach ($Root in $WebRoots) {
    if (Test-Path $Root) {
        Get-ChildItem -Path $Root -Recurse -File -ErrorAction SilentlyContinue | Where-Object {
            $_.LastWriteTime -gt $DateCutoff -and 
            $_.Length -lt 500kb -and 
            (Select-String -Path $_.FullName -Pattern "eval\(|base64_decode|System\.Security\.Cryptography" -Quiet)
        } | Select-Object FullName, LastWriteTime, @{Name="Matches";Expression={(Select-String -Path $_.FullName -Pattern "eval\(|base64_decode" -AllMatches).Matches.Count}}
    }
}

Identifying Rust-Based Processes (KQL)

The following KQL query for Microsoft Sentinel hunts for processes initiated by web servers (common webshell parents) that lack valid signatures or exhibit characteristics of compiled Rust binaries.

DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for processes spawned by common web servers
| where InitiatingProcessFileName in~ ("w3wp.exe", "httpd.exe", "nginx.exe", "java.exe")
// Filter for executable files
| where FileName endswith ".exe"
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName, SHA256, IsSigned
// Join with file profile information to check details often missed
| join kind=leftouter (
    DeviceFileEvents
    | where Timestamp > ago(30d)
    | distinct SHA256, FileVersion
) on SHA256
// Rust binaries often have specific section characteristics or missing descriptions
| where IsSigned == false or FileVersion == ""
| summarize count() by DeviceName, FileName, SHA256
| order by count_ desc

Mitigation Strategies

Defending against a persistent threat like SloppyLemming requires a layered security posture. Patching alone is insufficient if the attackers have already established a foothold.

1. Strict Egress Filtering: Implement firewall rules to block unnecessary outbound traffic. C2 communication often relies on protocols like HTTP/HTTPS or DNS. Monitor for outbound connections to newly registered domains or non-corporate IPs.

2. Web Application Hardening: Ensure web-facing servers are patched against known CVEs. Disable unused modules and enforce strict file permission controls to prevent the creation of files in web directories.

3. Application Control: Deploy allow-listing policies (AppLocker or similar) to prevent the execution of unauthorized binaries. This is particularly effective against Rust-based payloads which may appear as unsigned executables.

4. User Awareness: Given the likelihood of phishing as an entry vector, continuous security awareness training is non-negotiable for government and infrastructure employees.

Conclusion

The SloppyLemming campaign serves as a stark reminder that cyber threats are constantly upgrading their toolkits, leveraging languages like Rust to evade traditional defenses. For organizations in the public sector and critical infrastructure, the time to move from reactive monitoring to proactive threat hunting is now.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub