Specialists in the field of web infrastructure from Cloudflare revealed the activity of an advanced group of hackers associated with India, known as Sloppylemming (also known as Outrider Tiger and Fishing ElePhant). This group utilizes cloud providers’ services to gather accounts, distribute malicious software, and control attacks.
Since the end of 2022, Sloppylemming has been using Cloudflare Workers for cyber operations targeting South and East Asia. The group has been active since at least July 2021, previously utilizing the malicious ARes Rat and Warhawk. The latter is linked to the notorious hacker group Sidewinder, while ARS RAT is associated with the threat of Sidecopy, potentially of Pakistani origin.
Sloppylemming targets state institutions, law enforcement entities, energy and tech companies, as well as educational and telecommunication organizations in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. Their primary method involves phishing emails that prompt victims to click on a malicious link under the guise of carrying out a required action within 24 hours.
Clicking on the link redirects victims to a page designed to steal account information, granting the attackers unauthorized access to corporate emails. Sloppylemming employs Cloudphish to generate malware using Cloudflare Workers and intercept account data.
In some instances, the hackers exploit a vulnerability in Winrar (CVE-2023-38831) for remote code execution, circulating infected Rar archives disguised as files from the Camscanner app. These archives contain an executable file that downloads a Trojan from Dropbox.
In a previous Sidecopy campaign, hackers distributed ARS RAT via ZIP archives named “Docscanner_aug_2023.zip” and “Docscanner-oct.zip,” targeting Indian state and defense departments. Another method involves redirecting victims to a fake website mimicking the official resource of the Punjab Information Technology Council in Pakistan, ultimately leading to the download of a malicious shortcut initiating the execution of “Pitb-JR5124.exe,” which loads a malicious DLL connecting to Cloudflare Workers to transmit data to the attackers.
According to Cloudflare, Sloppylemming hackers actively target Pakistan’s police and other law enforcement agencies, as well as organizations associated with the country’s sole nuclear power plant. The group also aims at military and government institutions in Sri Lanka and Bangladesh, along with the energy and education sectors in China.