Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

India-Linked Hackers Targeting Pakistani Government, Law Enforcement

The India-linked threat actor SloppyLemming has been targeting government, law enforcement, and other entities in Pakistan.

A threat actor likely operating out of India is relying on various cloud services to conduct cyberattacks against energy, defense, government, telecommunication, and technology entities in Pakistan, Cloudflare reports.

Tracked as SloppyLemming, the group’s operations align with Outrider Tiger, a threat actor that CrowdStrike previously linked to India, and which is known for the use of adversary emulation frameworks such as Sliver and Cobalt Strike in its attacks.

Since 2022, the hacking group has been observed relying on Cloudflare Workers in espionage campaigns targeting Pakistan and other South and East Asian countries, including Bangladesh, China, Nepal, and Sri Lanka. Cloudflare has identified and mitigated 13 Workers associated with the threat actor.

“Outside of Pakistan, SloppyLemming’s credential harvesting has focused primarily on Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities,” Cloudflare reports.

The threat actor, Cloudflare says, appears particularly interested in compromising Pakistani police departments and other law enforcement organizations, and likely targeting entities associated with Pakistan’s sole nuclear power facility.

“SloppyLemming extensively uses credential harvesting as a means to gain access to targeted email accounts within organizations that provide intelligence value to the actor,” Cloudflare notes.

Advertisement. Scroll to continue reading.

Using phishing emails, the threat actor delivers malicious links to its intended victims, relies on a custom tool named CloudPhish to create a malicious Cloudflare Worker for credential harvesting and exfiltration, and uses scripts to collect emails of interest from the victims’ accounts.

In some attacks, SloppyLemming would also attempt to collect Google OAuth tokens, which are delivered to the actor over Discord. Malicious PDF files and Cloudflare Workers were seen being used as part of the attack chain.

In July 2024, the threat actor was seen redirecting users to a file hosted on Dropbox, which attempts to exploit a WinRAR vulnerability tracked as CVE-2023-38831 to load a downloader that fetches from Dropbox a remote access trojan (RAT) designed to communicate with several Cloudflare Workers.

SloppyLemming was also observed delivering spear-phishing emails as part of an attack chain that relies on code hosted in an attacker-controlled GitHub repository to check when the victim has accessed the phishing link. Malware delivered as part of these attacks communicates with a Cloudflare Worker that relays requests to the attackers’ command-and-control (C&C) server.

Cloudflare has identified tens of C&C domains used by the threat actor and analysis of their recent traffic has revealed SloppyLemming’s possible intentions to expand operations to Australia or other countries.

Related: Indian APT Targeting Mediterranean Ports and Maritime Facilities

Related: Pakistani Threat Actors Caught Targeting Indian Gov Entities

Related: Cyberattack on Top Indian Hospital Highlights Security Risk

Related: India Bans 47 More Chinese Mobile Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.