SloppyLemming Exposed: Cloudflare Uncovers Advanced Indian Hacker Group
Experts in web infrastructure and security from Cloudflare have identified the activities of an advanced hacker group linked to India, known as SloppyLemming. This group utilizes cloud provider services to harvest account credentials, distribute malware, and orchestrate attacks.
Since late 2022, SloppyLemming has regularly employed Cloudflare Workers for cyberespionage operations targeting South and East Asia. The group has been active since at least July 2021, previously leveraging Ares RAT and WarHawk malware. The latter is associated with the well-known SideWinder hacking group, while Ares RAT is linked to the SideCopy threat, which is believed to have Pakistani origins.
SloppyLemming’s attack targets include government institutions, law enforcement agencies, energy and technology companies, as well as educational and telecommunications organizations in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. The primary method of attack involves phishing emails, urging victims to click on a malicious link under the pretense of performing a required action within 24 hours.
Clicking the link leads to a credential-stealing page, granting the attackers unauthorized access to corporate email accounts. To execute these attacks, SloppyLemming uses the CloudPhish tool, which creates malicious Cloudflare Workers to intercept account data.
There have also been instances where the hackers exploited a vulnerability in WinRAR (CVE-2023-38831) to remotely execute code by sending infected RAR archives disguised as files from the CamScanner application. Inside the archive is an executable file that downloads a Trojan from Dropbox.
In a similar campaign by SideCopy, hackers distributed Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip,” targeting Indian government and defense agencies.
A third infection method employed by SloppyLemming redirects victims to a fake website mimicking the official resource of the Punjab Information Technology Board in Pakistan. From there, users are directed to another site where they download a malicious shortcut, leading to the executable file “PITB-JR5124.exe.” This file triggers the download of a malicious DLL, which connects to Cloudflare Workers to exfiltrate data to the attackers.
According to Cloudflare, SloppyLemming has been actively attacking the police and other law enforcement agencies in Pakistan, as well as organizations connected to the operation of the country’s sole nuclear power plant. Additionally, the group has targeted military and government institutions in Sri Lanka and Bangladesh, along with energy and educational sector companies in China.
