A threat actor, allegedly operating out of India, has been conducting cyberattacks on energy, defense, government, telecommunications, and technology sectors in Pakistan using various cloud services, according to a recent report by Cloudflare. The group, tracked as SloppyLemming, has been linked to Outrider Tiger, a threat actor with suspected ties to India.

SloppyLemming has been active since 2022, primarily focusing on espionage campaigns against Pakistan and several other South and East Asian nations, including Bangladesh, China, Nepal, and Sri Lanka. The threat actor’s methods involve leveraging the  serverless computing platform Cloudflare Workers to carry out attacks. Cloudflare has mitigated 13 Workers associated with this group to date, the report said.

SloppyLemming is primarily interested in targeting Pakistani law enforcement agencies, with a particular focus on entities connected to Pakistan's only nuclear power facility. The group has been observed extensively using credential harvesting to gain unauthorized access to email accounts in organizations that hold intelligence value.

The group’s campaigns often begin with phishing emails that deliver malicious links to victims that direct users to websites hosting malware, including a custom tool called CloudPhish. SloppyLemming uses the tool to create malicious Cloudflare Workers for harvesting credentials and exfiltrating sensitive data. Once access is gained, the threat actor deploys scripts to extract emails of interest from compromised accounts.

In some campaigns, the group also attempted to steal Google OAuth tokens, delivering the stolen tokens through the communication platform Discord. Additionally, SloppyLemming has incorporated malicious PDF files and Cloudflare Workers as part of their attack chain to further compromise victims.

One of their more recent campaigns, observed in July 2024, involved redirecting users to a file hosted on Dropbox. The file exploited a WinRAR vulnerability, tracked as CVE-2023-38831, to install a downloader that fetched a remote access trojan (RAT) from Dropbox. This RAT was designed to communicate with several Cloudflare Workers, providing the attackers with backdoor access to infected systems. The vulnerability in WinRAR impacted versions before 6.23 and was also seen exploited in the COOKBOX campaign targeting Ukraine.