SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh

Key Takeaways

• SloppyLemming targeted Pakistan and Bangladesh critical infrastructure using dual attack chains between January 2025 and January 2026.
• The primary vector uses PDF lures and ClickOnce manifests to deploy the BurrowShell in-memory implant via DLL sideloading.
• The secondary vector uses macro-enabled Excel files to deliver a custom Rust-based keylogger with extended reconnaissance capabilities.
• The threat actor extensively abused Cloudflare Workers (registering 112 domains) for C2 and payload delivery, impersonating government entities.
• Operational security failures by the threat actor exposed open directories, revealing staged malware including Havoc C2 framework components.

Affected Systems

• Windows 10
• Windows 11
• Microsoft .NET Framework
• Microsoft Office

Attack Chain

The attack begins with spear-phishing emails delivering either PDF or Excel lures. The PDF lure redirects to a ClickOnce application manifest that downloads a legitimate Microsoft binary (NGenTask.exe) alongside a malicious loader (mscorsvc.dll) and an encrypted payload. The Excel lure uses macros to download a legitimate binary (phoneactivate.exe) and a malicious DLL (sppc.dll). Both chains use DLL search order hijacking to execute the malicious DLLs, which then decrypt and load either the BurrowShell in-memory implant or a Rust-based keylogger for C2 communication and data exfiltration.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Arctic Wolf

The article provides YARA rules for detecting the SloppyLemming Rust Keylogger RAT and the BurrowShell loader.

Detection Engineering Assessment

EDR Visibility: High — DLL sideloading, registry run key creation, and anomalous process execution (e.g., NGenTask.exe or phoneactivate.exe from non-standard directories) are highly visible to modern EDRs. Network Visibility: Medium — C2 traffic is encrypted and uses legitimate Cloudflare Workers infrastructure, making it difficult to distinguish from benign traffic without SSL inspection, though specific User-Agents provide some visibility. Detection Difficulty: Moderate — While the initial access and DLL sideloading techniques are well-known, the use of Cloudflare Workers and custom in-memory implants complicates network and static detections.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Event (Sysmon 12/13)
• Network Connection (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for legitimate Microsoft binaries (NGenTask.exe, phoneactivate.exe) executing from non-standard directories like C:\ProgramData\ or AppData\Local\Apps\2.0.	Process Creation	Execution	Low
Search for network connections to *.workers.dev domains originating from unusual processes or using specific User-Agent strings like 'Windows-Update-Agent/10.0.10011.Client-Protocol/2.50'.	Network Connection	Command and Control	Medium
Identify registry modifications in HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to binaries named 'OneDrive' that are not located in the standard OneDrive installation path.	Registry Event	Persistence	Low
Monitor for the creation of files named mscorsvc.dll, sppc.dll, or system32.dll in user-writable directories.	File Creation	Defense Evasion	Low

Control Gaps

• Lack of SSL/TLS inspection for Cloudflare Workers traffic
• Permissive execution policies allowing binaries to run from C:\ProgramData\

Key Behavioral Indicators

• Execution of NGenTask.exe or phoneactivate.exe from C:\ProgramData\ or ClickOnce cache
• Specific User-Agent strings mimicking Windows Update or SecureNet
• Presence of RC4 decryption API calls (SystemFunction033) in non-standard contexts

False Positive Assessment

• Medium. While the specific IOCs and User-Agents are high-fidelity, hunting for Cloudflare Workers traffic (*.workers.dev) or DLL sideloading generically may yield false positives due to legitimate administrative or developer activities.

Recommendations

Immediate Mitigation

• Block or quarantine PDF files containing embedded URLs pointing to Cloudflare Workers subdomains.
• Block known malicious domains at the network perimeter.
• Monitor for and alert on connections to *.workers.dev domains matching *-gov-pk or *-gov-bd patterns.

Infrastructure Hardening

• Implement or maintain macro execution control for Office documents from external and unknown sources.
• Configure endpoints to block ClickOnce application downloads from untrusted sources.
• Implement SSL/TLS inspection to analyze encrypted traffic to suspicious destinations.

User Protection

• Deploy email security solutions capable of analyzing embedded URLs within document content.
• Monitor for DLL sideloading activity involving legitimate Microsoft binaries executing from non-standard locations.

Security Awareness

• Implement regular user awareness training to make users aware of typical phishing red flags, especially regarding PDF lures and unexpected download prompts.

MITRE ATT&CK Mapping

• T1583.001 - Acquire Infrastructure: Domains
• T1587.001 - Develop Capabilities: Malware
• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1204.002 - User Execution: Malicious File
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
• T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1140 - Deobfuscate/Decode Files or Information
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1218 - System Binary Proxy Execution
• T1056.001 - Input Capture: Keylogging
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1057 - Process Discovery
• T1113 - Screen Capture
• T1560 - Archive Collected Data
• T1071.001 - Application Layer Protocol: Web Protocols
• T1573.001 - Encrypted Channel: Symmetric Cryptography
• T1090.001 - Proxy: Internal Proxy
• T1102.002 - Web Service: Bidirectional Communication
• T1571 - Non-Standard Port
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Domains:
  • webmail-pnra[.]gov-pk[.]workers[.]dev - Malicious domain impersonating Pakistan Nuclear Regulatory Authority; hosted open directory.
  • info[.]sco-gov-pk[.]workers[.]dev - Malicious domain impersonating Special Communications Organization; hosted open directory.
  • ftp[.]desco-gov-bd[.]workers[.]dev - Malicious domain impersonating Dhaka Electric Supply Company; used for payload delivery.
  • support[.]paknavy-gov-pk-fd9[.]workers[.]dev - Malicious domain impersonating Pakistan Navy.
  • xen[.]pgcb-gov-bd[.]workers[.]dev - Malicious domain impersonating Power Grid Company of Bangladesh.
  • vrms[.]bangladeshbaank-gov-bd[.]workers[.]dev - Malicious domain impersonating Bangladesh Bank.
  • cms[.]ndu-edu-gov[.]workers[.]dev - Malicious domain impersonating National Defense University.
  • ntsoc[.]pta-gov-pk[.]workers[.]dev - Malicious domain impersonating Pakistan Telecommunication Authority.
  • uploads[.]ptcl-gov-pk[.]workers[.]dev - Malicious domain impersonating PTCL.
  • file-super-net-pk[.]workers[.]dev - Malicious domain hosting open directory.
  • info[.]bangladesh-islamic-baank[.]workers[.]dev - Havoc C2 domain impersonating a Bangladeshi financial institution.
  • fancy-voice-b182[.]goldibrowhoami[.]workers[.]dev - Payload delivery domain for audiodg.pdf.
• Urls:
  • hxxps://webmail-pnra[[.]]gov-pk[[.]]workers[[.]]dev/ftp[[.]]pnra[.]org[.]application - Malicious URL embedded in PDF lure serving ClickOnce application manifest.
  • hxxps://ftp[[.]]desco-gov-bd[[.]]workers[[.]]dev/favicon[.]ico - URL used by Excel macro to download sppc.dll.
  • hxxps://fancy-voice-b182[[.]]goldibrowhoami[[.]]workers[[.]]dev/audiodg[.]pdf - URL used by Excel macro to download audiodg.exe.
• File Hashes:
  • 8faeea306a331d86ce1acb92c8028b4322efbd11a971379ba81a6b769ff5ac4b (SHA256) - Initial access PDF lure.
  • 1946315d645d9a8c5114759b350ec4f85dba5f9ee4a63d74437d7a068bff7752 (SHA256) - Initial access XLS lure with malicious macro.
  • 9fd133b11abcbbed33ccea71bd4743e8f35e42cd637fb763f5ab2a8fbb9b6261 (SHA256) - OneDrive.exe (Legitimate NGenTask.exe used for sideloading).
  • 8cc46f6ef1b659fa463b7eb343b4ca033de89c313af2e68e2cc7ce08eaff88de (SHA256) - audiodg.exe (Legitimate phoneactivate.exe used for sideloading).
  • c57baa17321257ea1915ba0336a89f63975e6ed612a89c9888be7067222bef38 (SHA256) - cryptbase.dll - Keylogger variant.
  • 67c341e187ddfcd5a4a7df8743ae82e72db1e5c3747d5c4e185d99f54182f093 (SHA256) - cryptbase.dll - Keylogger variant.
  • 6ea8fd10725676c886692d3acda9782e044c9f3988276360c87559dcaf1a3123 (SHA256) - cryptbase.dll - Havoc loader.
  • 87822f0b579c6c123c72971ee524a2d977ba4f02027f32d57a533d8f123183c3 (SHA256) - test.dll - Havoc loader.
  • 7e16fc7603e450b28f06e55748ef65204f8685b0f75e963da997192fdec5f96e (SHA256) - vault.dll / system32.dll - Havoc shellcode x64.
  • bb83cd7ebe75cf62f06859ab2166a35a16cac924f874109b78dd5c4b653d6d44 (SHA256) - system32.pdf - Encrypted shellcode.
  • 3269829b50da5b3c4120a103ef72b09a8bbbf258ab3086ca24b2aa24dc00039b (SHA256) - sppc.pdf - Custom implant loader.
  • c4cea4147719c3abe7eb6c7c7e3420480361773b602d4270af0a607d29f8771f (SHA256) - ftp.pnra.org.application - ClickOnce Manifest.
  • c603e7a1018f7b3a168404bcf2f709950c4e29e0596c78823647baaadaf317c7 (SHA256) - ftp.pnra.org.exe.manifest - ClickOnce Manifest.
  • 1f79f88e97e60bc431ab641ccbbfb09e9d2633d258d3d4bc8b0cb5b9adbc9a4a (SHA256) - PDF-Reader.application - ClickOnce Manifest.
  • 7a34070f98bd129764f053d8003b402975f73e85da87eebdfcc718ac7c8bb0bb (SHA256) - PDF-Reader.exe.manifest - ClickOnce Manifest.
  • d071ea65ea30df38623afe959ccc142f14dc4659dce21c2d7195e31245ee2df1 (SHA256) - MicrosoftPDF-Reader.application - ClickOnce Manifest.
  • 9dca24630c06463a01ca6d38b73987589bbe68650b0ff893770eab9ff6ec581a (SHA256) - MicrosoftPDF-Reader.exe.manifest - ClickOnce Manifest.
• Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive - Persistence mechanism created by the mscorsvc.dll loader to execute OneDrive.exe (NGenTask.exe) on startup.
• File Paths:
  • C:\ProgramData\audiodg.exe - Legitimate phoneactivate.exe dropped by Excel macro for DLL sideloading.
  • C:\ProgramData\sppc.dll - Malicious Rust keylogger DLL dropped by Excel macro.
  • C:\Users\<Username>\AppData\Local\Apps\2.0\ - ClickOnce application cache directory where stage 2 payloads are downloaded.
• Command Lines:
  • Purpose: Execute the downloaded legitimate binary to trigger DLL sideloading | Tools: cmd.exe, VBA Macro | Stage: Execution | C:\ProgramData\audiodg.exe
• Other:
  • Windows-Update-Agent/10.0.10011.Client-Protocol/2.50 - User-Agent string used by BurrowShell implant to mimic Windows Update traffic.
  • Mozilla/5.0 (compatible; SecureNet/1.2) - User-Agent string used by the Rust-based keylogger.
  • Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 - User-Agent string used by the Havoc shellcode.
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) - User-Agent string used by the malicious Excel VBA macro.
  • boikztaigkuneapfvpesuabfmpxgwnad - RC4 decryption key for the BurrowShell shellcode loader.
  • oudabiaxuixskxmdwrnomhwomdgduszp - RC4 decryption key for the Havoc loader.
  • gzmzsduyrttrnwlpjfgylwwinlopsznc - RC4 decryption key for the custom implant loader.