Alleged India-Linked Espionage Campaign Targeted Pakistan, Bangladesh, Sri Lanka

The emergence of SloppyLemming underscores a growing trend of state‑aligned cyber‑espionage in South Asia. While earlier reports from Cloudflare highlighted a 2022‑2024 focus on Pakistan, the latest Arctic Wolf findings reveal an expanded operation that now includes Bangladesh and Sri Lanka. By leveraging cloud‑based domains that appear legitimate, the actors bypass traditional perimeter defenses, illustrating how geopolitical tensions translate into sophisticated digital campaigns aimed at gathering intelligence for national interests.

Technically, the group employed a two‑pronged approach: malicious PDFs delivering the BurrowShell backdoor and Excel spreadsheets embedding keyloggers with reconnaissance capabilities. Both payloads exploit social engineering tactics, displaying a fake "PDF reader is disabled" message to coax victims into enabling malicious macros. Although the attackers demonstrate moderate capability—evident in multi‑stage execution chains and Windows internals knowledge—their operational security lapses, such as exposed directories, betray a less disciplined tradecraft compared with elite APT groups. This blend of skill and sloppiness gives defenders a foothold for attribution and mitigation.

The targeting of nuclear regulators, energy utilities, and telecom providers raises alarm bells for regional stability. Disruption or data exfiltration from these sectors could impair essential services and compromise national security. Incident responders are urged to tighten email filtering, enforce macro restrictions, and monitor for anomalous domain activity linked to the 112 identified Cloudflare hosts. As India‑nexus actors continue to refine their tactics, governments and private operators must adopt a proactive, intelligence‑driven posture to safeguard critical infrastructure against similar incursions.