Blog Details

  • Home
  • Blog
  • India-Linked SloppyLemming Hackers Exploit Cloud Services for Cyber Espionage
India-Linked SloppyLemming Hackers Exploit Cloud Services for Cyber Espionage

India-Linked SloppyLemming Hackers Exploit Cloud Services for Cyber Espionage

An advanced cyber threat actor with links to India, known as SloppyLemming, has been observed leveraging multiple cloud service providers to carry out credential harvesting, malware distribution, and command-and-control (C2) operations. Cloudflare, a leading web infrastructure and security company, is actively tracking this group under various aliases, including Outrider Tiger and Fishing Elephant.

Since late 2022, SloppyLemming has been using Cloudflare Workers as part of an espionage campaign that primarily targets countries in South and East Asia. According to Cloudflare, SloppyLemming has been active since at least July 2021, employing malware such as Ares RAT and WarHawk—both linked to the hacking group SideWinder. Additionally, Ares RAT has ties to SideCopy, a threat actor believed to be of Pakistani origin.

SloppyLemming’s targets include government, law enforcement, energy, education, telecommunications, and technology sectors in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.

Their attack methods typically involve spear-phishing emails designed to create urgency, tricking victims into clicking malicious links. These links lead to credential harvesting pages, enabling unauthorized access to email accounts in key organizations.

A custom-built tool called CloudPhish plays a central role in the attack chain. It creates malicious Cloudflare Workers to log and exfiltrate victim credentials. Some attacks have also captured Google OAuth tokens and used booby-trapped RAR archives (such as "CamScanner 06-10-2024 15.29.rar") that exploit a WinRAR vulnerability (CVE-2023-38831) to achieve remote code execution.

The RAR files contain an executable designed to display a decoy document while stealthily loading CRYPTSP.dll, a downloader that installs a remote access trojan hosted on Dropbox.

Cybersecurity company SEQRITE previously reported a similar campaign by SideCopy, targeting Indian government and defense sectors with Ares RAT distributed via ZIP files exploiting the same vulnerability.

In a third attack sequence, SloppyLemming uses spear-phishing lures to lead targets to a fraudulent website impersonating the Punjab Information Technology Board (PITB) in Pakistan. Victims are then redirected to another site containing a malicious internet shortcut (URL) file. This URL file downloads a legitimate executable that is used to sideload a rogue DLL, establishing communication with a Cloudflare Worker acting as an intermediary to relay requests to the actual C2 domain.

Cloudflare has identified a concerted effort by SloppyLemming to target Pakistani police departments and law enforcement organizations. Furthermore, there are indications that entities involved in Pakistan's nuclear power operations have also been targeted.

In addition to Pakistani institutions, SloppyLemming has been observed targeting Sri Lankan and Bangladeshi government and military organizations, as well as Chinese energy and academic entities.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067