The advanced persistent threat (APT) group known as "Sloppy Lemming," which is linked to India, has ramped up its operations over the past year. This group has adopted more advanced tactics, targeting nuclear regulatory organizations, defense contractors, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian entities.
According to cybersecurity firm Arctic Fox, Sloppy Lemming has transitioned from using readily available red teaming tools, such as Cobalt Strike and Havoc C2, to developing its own customized tools written in the Rust programming language. Additionally, the group has expanded its command-and-control (C2) infrastructure significantly, growing from 13 domains to at least 112 within a year.
Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf, notes that the evolution of this group's tactics, techniques, and procedures (TTPs) reflects a growing sophistication among cyber-espionage groups operating on behalf of specific nations in the region.
"In the past, we primarily observed a few nation-state groups, some cybercriminal organizations, and occasionally some hacktivist groups in the area," Valenzuela explains. "What we are witnessing now is a surge in the number of groups, increased activity, and a heightened effort to obtain critical information through regionalized cyber-espionage campaigns."
This threat report emerges amid escalating tensions in South Asia. On March 3, Pakistan's president, Asif Ali Zardari, asserted that India was preparing for military actions and urged the country to "move away from the war theatre." In late February, following terrorist bombings at a mosque and a security post within Pakistan, the military targeted alleged militant bases inside Afghanistan. Similarly, India conducted airstrikes against targets in Pakistan during Operation Sindoor in May 2025.
India-Backed Cyber Operations on the Rise
As tensions rise in the Asia Pacific region, cyber operations have become increasingly normalized. Unlike Chinese or Russian threat groups that often exploit zero-day vulnerabilities, India-linked cyber-espionage actors typically rely on phishing and credential theft, according to Arctic Wolf's recent threat report.
Sloppy Lemming, which is also associated with groups identified by other researchers as Outrider Tiger and Fishing Elephant, employs two primary attack methods. One involves using a PDF lure to redirect victims to an attack, while the other utilizes macro-enabled Excel documents to deliver a Rust-based keylogger.
Several groups associated with Sloppy Lemming appear to be acting on behalf of India, as indicated by various cybersecurity firms. Proofpoint, a messaging security provider, tracks five known groups linked to India, including TA397, also known as Bitter, which has some overlap with Sloppy Lemming. Additionally, TA399 and TA395, recognized as Sidewinder and Frantic Tiger, respectively, share similar lure strategies, compromised accounts, and occasionally target the same individuals.
"This pattern suggests shared resources and/or coordinated efforts across some India-aligned groups, even if these teams are distinct," Proofpoint researchers stated.
There are, however, clear distinctions among these entities. Kaspersky monitors several India-linked groups, including Fishing Elephant, which Arctic Wolf also associates with Sloppy Lemming. Yet, two other groups, Dropping Elephant and Mysterious Elephant, do not overlap with Sloppy Lemming, according to Noushin Shabab, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
"These groups appear to be separate entities with unique characteristics, and we have found no evidence suggesting they are operational sub-groups or the same actor," Shabab explains. "This distinction is crucial, as it indicates that each group has its own objectives, motivations, and areas of focus, and should be analyzed independently to fully understand their activities and potential impacts."
Mysterious Elephant primarily targets diplomatic, military, and defense organizations in Pakistan and Bangladesh, while Sloppy Lemming and Fishing Elephant focus on sectors such as nuclear, defense, logistics, and telecommunications, according to Arctic Wolf.
Sloppy Lemming Lives Up to Its Name
In addition to Sloppy Lemming, other notable actors in the region have begun utilizing Rust and other programming languages that complicate reverse engineering, says Kaspersky's Shabab. The increasing use of Cloudflare Workers, Pages, and protected domains is also noted among Indian APT groups as a method for hosting attacker-controlled pages and C2 servers.
"This shift toward serverless and edge-hosted C2 infrastructure indicates that attackers are aiming to leverage the anonymity and scalability offered by cloud services to avoid detection and enhance their operational efficiency," Shabab remarks. "Utilizing these cloud-based services allows attackers to dynamically deliver payloads, obscure their infrastructure, and evade traditional security measures."
Sloppy Lemming's tactics, which include using lures with Excel macros, suggest a focus on organizations with weak security practices or those utilizing pirated software, according to Arctic Wolf's Valenzuela. While there are signs of increased sophistication such as their use of Rust, custom tools, and a C2 channel through Cloudflare Workers the group has also made notable operational errors, like running some of their C2 infrastructure with open directories, enabling threat researchers to access it.
