A threat actor likely operating out of India is relying on various cloud services to conduct cyberattacks against energy, defense, government, telecommunication, and technology entities in Pakistan, Cloudflare reports.
Tracked as SloppyLemming, the group’s operations align with Outrider Tiger, a threat actor that CrowdStrike previously linked to India, and which is known for the use of adversary emulation frameworks such as Sliver and Cobalt Strike in its attacks.
Since 2022, the hacking group has been observed relying on Cloudflare Workers in espionage campaigns targeting Pakistan and other South and East Asian countries, including Bangladesh, China, Nepal, and Sri Lanka. Cloudflare has identified and mitigated 13 Workers associated with the threat actor.
“Outside of Pakistan, SloppyLemming’s credential harvesting has focused primarily on Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities,” Cloudflare reports.
The threat actor, Cloudflare says, appears particularly interested in compromising Pakistani police departments and other law enforcement organizations, and likely targeting entities associated with Pakistan’s sole nuclear power facility.
“SloppyLemming extensively uses credential harvesting as a means to gain access to targeted email accounts within organizations that provide intelligence value to the actor,” Cloudflare notes.
Using phishing emails, the threat actor delivers malicious links to its intended victims, relies on a custom tool named CloudPhish to create a malicious Cloudflare Worker for credential harvesting and exfiltration, and uses scripts to collect emails of interest from the victims’ accounts.
In some attacks, SloppyLemming would also attempt to collect Google OAuth tokens, which are delivered to the actor over Discord. Malicious PDF files and Cloudflare Workers were seen being used as part of the attack chain.
Advertisement. Scroll to continue reading.
In July 2024, the threat actor was seen redirecting users to a file hosted on Dropbox, which attempts to exploit a WinRAR vulnerability tracked as CVE-2023-38831 to load a downloader that fetches from Dropbox a remote access trojan (RAT) designed to communicate with several Cloudflare Workers.
SloppyLemming was also observed delivering spear-phishing emails as part of an attack chain that relies on code hosted in an attacker-controlled GitHub repository to check when the victim has accessed the phishing link. Malware delivered as part of these attacks communicates with a Cloudflare Worker that relays requests to the attackers’ command-and-control (C&C) server.
Cloudflare has identified tens of C&C domains used by the threat actor and analysis of their recent traffic has revealed SloppyLemming’s possible intentions to expand operations to Australia or other countries.