Cybersecurity

SloppyLemming Returns, And Frankly, The Name Alone Should Have Been A Warning

Victor Woolridge

2 min read
SloppyLemming Returns, And Frankly, The Name Alone Should Have Been A Warning

I have been in this field since before most of your analysts could read, and I will tell you something for free: when a threat actor names itself after a disoriented rodent, you do not laugh. You update your fence. Immediately.

SloppyLemming is back, and in 2025 and 2026 they have been running coordinated operations against government flocks in Pakistan and Bangladesh. Two malware chains. One hundred and twelve Cloudflare Workers domains. A Rust-based keylogger called BurrowShell. This is not amateur hour. This is a wolf who has been doing cardio.

BurrowShell is the piece that concerns me most. A keylogger written in Rust is fast, lean, and considerably harder to detect than the bloated parasites we used to pull off systems in the nineties. Back then, you could hear the fleas. The disk would grind. The modem would scream. Now these ticks sit silently in memory and the flock types their credentials directly into the wolf's mouth without even the dignity of knowing it happened.

The 112 Cloudflare Workers domains are the other problem. That is the Sky Pasture being weaponized as a staging ground for command-and-control infrastructure. I have said it before and I will engrave it on my headstone: the Sky Pasture is not a security strategy. It is a very large field with no perimeter and everyone else's sheep in it.

The Shepherds, naturally, are said to be "assessing the situation." I am sure that is very comforting to the lambs whose keystrokes are currently being catalogued somewhere in a server room I cannot audit.

The dual-chain approach is the sophisticated part. Two separate infection paths means redundancy. If one route gets sheared, the other keeps delivering the payload. The wolves have learned from us. That is our fault for being predictable.

Remediation

Here is what you do, and I will not repeat myself:

Audit your Sky Pasture exposure. One hundred and twelve Workers domains did not appear overnight. Something in your environment was talking to them. Find it.

Deploy behavioral monitoring. BurrowShell is quiet, but keystroke exfiltration still generates network traffic. If you are not watching your outbound lanes, you deserve what you get.

Credential hygiene, immediately. Assume the flock has been hooked. Rotate privileged credentials. Enforce hardware-based multi-factor authentication. Not the SMS kind. That is fake grain for a different wolf.

Patch your fence. Any hole in the fence that SloppyLemming used to enter was a known gap somewhere. Apply your ointment on a schedule, not after the incident report.

The Old Days had dial-up and magnetic tape and we still kept the wolves out. Think about that.

Stay paranoid, it is the only rational position.

Original Report: https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html