Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBER RISK CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure India-nexus cyber threat actors are growing more active and sophisticated, using custom tools coded in Rust and cloud-based command and control. Robert Lemos,Contributing Writer March 3, 2026 5 Min Read SOURCE: MAXIMILLIAN CABINET VIA SHUTTERSTOCK The India-linked advanced persistent threat (APT) "Sloppy Lemming" has significantly increased its operational tempo over the past year, adopting more sophisticated tactics to target nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian targets. The group has evolved from using off-the-shelf red teaming tools like Cobalt Strike and Havoc C2 to developing its own custom tooling written in the Rust programming language, while expanding its command-and-control (C2) infrastructure — based on Cloudflare's serverless Workers service — to at least 112 domains, up from 13 domains a year ago, according to cybersecurity firm Arctic Wolf. The group's tactics, techniques, and procedures (TTPs) show how cyber-espionage groups working for specific nations in the region have become more adept at their craft, says Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf. Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks "Years ago, we would only see some nation-states groups, some cybercriminal groups, and maybe some hacktivist groups in the region," he says. "What we're seeing now is more groups and more noise and more people trying to get [critical] information and more regionalized cyber-espionage campaigns as well." The threat report comes as tensions in South Asia have increased significantly in the past few weeks. On March 3, Pakistan's president Asif Ali Zardari claimed that India is preparing for military actions and called for the country to "move away from the war theatre," according to reports. In late February, following terrorist bombings at a mosque and a security post inside Pakistan, the country's military struck at alleged militant bases inside Afghanistan. Similarly, India used air attacks to strike at targets inside Pakistan during Operation Sindoor in May 2025. India-Backed Cyber Operations Ramp Up As tensions in the Asia Pacific region climb, cyber operations have become much more normalized. Unlike Chinese or Russian threat groups, which often use zero-day exploits to attack edge devices, the India-linked cyber-espionage groups rely heavily on phishing and credential theft, according to Arctic Wolf's threat report this week. Sloppy Lemming, which is also connected to groups identified by other threat researchers as Outrider Tiger and Fishing Elephant, uses two attack chains: one uses a PDF lure to redirect victims to an attack, and the other uses macro-enabled Excel documents to deliver a Rust-based keylogger, Arctic Wolf stated. Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets However, at least a handful of Sloppy Lemming-related groups appear to be taking actions on behalf of India, according to cybersecurity firms. Messaging security provider Proofpoint tracks five known groups linked to India, including TA397, which the company's researchers also called Bitter, a threat group that has some overlap with Sloppy Lemming. Meanwhile two others, TA399 and TA395 — aka Sidewinder and Frantic Tiger, respectively — share lure themes and compromised accounts, and sometimes target the same individuals, Proofpoint researchers tell Dark Reading. "This pattern suggests shared resourcing and/or coordinated tasking across some India-aligned clusters, even if the teams may be distinct," the researchers stated. These could be different teams within an intelligence organization, different contractors working with the same government client, or just a reuse of resources across operations, they said. There are some distinct entities, however. Kaspersky tracks a number of India-nexus groups, including Fishing Elephant, which Arctic Wolf also linked to Sloppy Lemming; but two other groups, Dropping Elephant and Mysterious Elephant, do not overlap with Sloppy Lemming, says Noushin Shabab, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT). Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now "They appear to be separate entities with their own unique characteristics, and we have not found any evidence to suggest that they are operational sub-groups or the same actor," she says. "This distinction is important, as it implies that each group has its own goals, motivations, and areas of focus, and should be tracked and analyzed separately to fully understand their activities and potential impacts." Mysterious Elephant primarily targets diplomatic, military, and defense institutions in Pakistan and Bangladesh, according to Kaspersky. Slopping Lemming and Fishing Elephant instead focus on nuclear, defense, logistics, and telecommunications providers, according to Arctic Wolf. Sloppy Lemming Lives Up to Its Name Aside from Sloppy Lemming, other prominent actors in the region have started using Rust, as well as other languages that make reverse engineering more challenging, says Kaspersky's Shabab. The use of Cloudflare Workers, Pages, and protected domains are also on the rise among Indian APT groups as a way of hosting attacker-controlled pages and C2 servers, she adds. "This expansion into serverless and edge-hosted C2 infrastructure suggests that attackers are seeking to leverage the anonymity and scalability offered by cloud services to evade detection and improve their operational efficiency," Shabab says. "The use of these cloud-based services allows attackers to dynamically deliver payloads, obscure their infrastructure, and evade traditional security controls." Sloppy Lemming's tactics, which include using lures with Excel macros, suggest they are targeting organizations with poor security hygiene or those using pirated software, Arctic Wolf's Valenzuela says. Overall, while they showed some signs of increasing sophistication — their use of Rust, custom tools, and a C2 channel using Cloudflare Workers — the group has also made significant head-smacking mistakes, such as operating some of the C2 infrastructure with open directories, which allowed threat researchers to gain access, he says. "Sometimes we always talk about how sophisticated these adversaries may be, but the operational security that these guys have is not on par with a lot of other groups that are usually doing cyber-espionage campaigns," he says. "They continue to be Sloppy Lemming." Read more about: DR Global Asia Pacific About the Author Robert Lemos Contributing Writer Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity.  A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports. Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major). Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices