The India-linked advanced persistent threat (APT) “Sloppy Lemming” has significantly increased its operational tempo over the past year, adopting more sophisticated tactics to target nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian targets.
The group has evolved from using off-the-shelf red teaming tools like Cobalt Strike and Havoc C2 to developing its own custom tooling written in the Rust programming language, while expanding its command-and-control (C2) infrastructure — based on Cloudflare’s serverless Workers service — to at least 112 domains, up from 13 domains a year ago, according to cybersecurity firm Arctic Fox.
The group’s tactics, techniques, and procedures (TTPs) show how cyber-espionage groups working for specific nations in the region have become more adept at their craft, says Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf.
“Years ago, we would only see some nation-states groups, some cybercriminal groups, and maybe some hacktivist groups in the region,” he says. “What we’re seeing now is more groups and more noise and more people trying to get [critical] information and more regionalized cyber-espionage campaigns as well.”
The threat report comes as tensions in South Asia have increased significantly in the past few weeks. On March 3, Pakistan’s president Asif Ali Zardari claimed that India is preparing for military actions and called for the country to “move away from the war theatre,” according to reports. In late February, following terrorist bombings at a mosque and a security post inside Pakistan, the country’s military struck at alleged militant bases inside Afghanistan. Similarly, India used air attacks to strike at targets inside Pakistan during Operation Sindoor in May 2025.
India-Backed Cyber Operations Ramp Up
As tensions in the Asia Pacific region climb, cyber operations have become much more normalized. Unlike Chinese or Russian threat groups, which often use zero-day exploits to attack edge devices, the India-linked cyber-espionage groups rely heavily on phishing and credential theft, according to Arctic Wolf’s threat report this week.
Sloppy Lemming, which is also connected to groups identified by other threat researchers as Outrider Tiger and Fishing Elephant, uses two attack chains: one uses a PDF lure to redirect victims to an attack, and the other uses macro-enabled Excel documents to deliver a Rust-based keylogger, Arctic Wolf stated.
However, at least a handful of Sloppy Lemming-related groups appear to be taking actions on behalf of India, according to cybersecurity firms. Messaging security provider Proofpoint tracks five known groups linked to India, including TA397, which the company’s researchers also called Bitter, a threat group that has some overlap with Sloppy Lemming. Meanwhile two others, TA399 and TA395 — aka Sidewinder and Frantic Tiger, respectively — share lure themes and compromised accounts, and sometimes target the same individuals, Proofpoint researchers tell Dark Reading.
“This pattern suggests shared resourcing and/or coordinated tasking across some India-aligned clusters, even if the teams may be distinct,” the researchers stated.
These could be different teams within an intelligence organization, different contractors working with the same government client, or just a reuse of resources across operations, they said.
There are some distinct entities, however. Kaspersky tracks a number of India-nexus groups, including Fishing Elephant, which Arctic Wolf also linked to Sloppy Lemming; but two other groups, Dropping Elephant and Mysterious Elephant, do not overlap with Sloppy Lemming, says Noushin Shabab, lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“They appear to be separate entities with their own unique characteristics, and we have not found any evidence to suggest that they are operational sub-groups or the same actor,” he says. “This distinction is important, as it implies that each group has its own goals, motivations, and areas of focus, and should be tracked and analyzed separately to fully understand their activities and potential impacts.”
Mysterious Elephant primarily targets diplomatic, military, and defense institutions in Pakistan and Bangladesh, according to Kaspersky. Slopping Lemming and Fishing Elephant instead focus on nuclear, defense, logistics, and telecommunications providers, according to Arctic Wolf.
Sloppy Lemming Lives Up to Its Name
Aside from Sloppy Lemming, other prominent actors in the region have started using Rust, as well as other languages that make reverse engineering more challenging, says Kaspersky’s Shabab. The use of Cloudflare Workers, Pages, and protected domains are also on the rise among Indian APT groups as a way of hosting attacker-controlled pages and C2 servers, he adds.
“This expansion into serverless and edge-hosted C2 infrastructure suggests that attackers are seeking to leverage the anonymity and scalability offered by cloud services to evade detection and improve their operational efficiency,” Shabab says. “The use of these cloud-based services allows attackers to dynamically deliver payloads, obscure their infrastructure, and evade traditional security controls.”
Sloppy Lemming’s tactics, which include using lures with Excel macros, suggest they are targeting organizations with poor security hygiene or those using pirated software, Arctic Wolf’s Valenzuela says. Overall, while they showed some signs of increasing sophistication — their use of Rust, custom tools, and a C2 channel using Cloudflare Workers — the group has also made significant head-smacking mistakes, such as operating some of the C2 infrastructure with open directories, which allowed threat researchers to gain access, he says.
“Sometimes we always talk about how sophisticated these adversaries may be, but the operational security that these guys have is not on par with a lot of other groups that are usually doing cyber-espionage campaigns,” he says. “They continue to be Sloppy Lemming.”
