A sophisticated threat actor linked to India has been observed leveraging multiple cloud services to carry out credential theft, malware distribution, and command-and-control (C2) operations. Cloudflare, a leading web security and infrastructure company, is tracking this activity under the alias SloppyLemming, also known as Outrider Tiger and Fishing Elephant.
According to Cloudflare’s analysis, SloppyLemming has been active since at least July 2021, with recent activity between late 2022 and now. The group is believed to be conducting a widespread espionage campaign targeting South and East Asian countries, utilizing Cloudflare Workers as part of their operations.
Previous campaigns attributed to SloppyLemming have used malware such as Ares RAT and WarHawk. The latter is connected to the SideWinder group, while Ares RAT has ties to SideCopy, a threat actor believed to operate from Pakistan.
SloppyLemming’s targets span various sectors, including government, law enforcement, energy, telecommunications, and technology, across countries like Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. The group’s attack methods often involve spear-phishing emails designed to deceive recipients into clicking malicious links by creating a sense of urgency, such as demanding the completion of a critical task within 24 hours.
Victims who click the link are directed to credential-stealing pages, allowing the attackers to access email accounts of interest. SloppyLemming uses a custom tool called CloudPhish to create malicious Cloudflare Workers that manage the credential collection and exfiltration process.
Additionally, some attacks use techniques to capture Google OAuth tokens and exploit a vulnerability in WinRAR (CVE-2023-38831) to achieve remote code execution via booby-trapped RAR files. These files contain executables that discreetly download malware from Dropbox.
Cloudflare has also noted similarities between SloppyLemming’s tactics and previous campaigns linked to SideCopy, which targeted Indian government and defense sectors using malicious ZIP files that exploited the same WinRAR vulnerability.
Another infection method employed by SloppyLemming involves phishing schemes that lead targets to fake websites, such as a page mimicking the Punjab Information Technology Board (PITB) in Pakistan. Victims are redirected to a site that triggers the download of an executable file, which in turn sideloads a malicious DLL to communicate with the threat actor’s C2 domain via a Cloudflare Worker.
Cloudflare’s research highlights concerted efforts by SloppyLemming to target Pakistani police and law enforcement agencies, as well as organizations associated with Pakistan’s nuclear power infrastructure. The group has also aimed its credential harvesting attacks at government and military entities in Sri Lanka and Bangladesh, as well as Chinese energy and academic institutions.