Cloudflare Issues Warning on India-Linked Hackers Targeting Organizations in South and East Asia

An advanced threat actor with ties to India has been identified using multiple cloud service providers for credential harvesting, malware distribution, and command-and-control (C2) operations. Cloudflare, a web infrastructure and security company, has been monitoring this activity under the name SloppyLemming, also known as Outrider Tiger and Fishing Elephant.

According to Cloudflare’s analysis, SloppyLemming has been active since at least July 2021 and has leveraged Cloudflare Workers as part of a suspected espionage campaign targeting South and East Asian countries from late 2022 to the present. The group has previously used malware such as Ares RAT and WarHawk, with WarHawk linked to a known hacking group called SideWinder. Ares RAT, meanwhile, has been associated with SideCopy, a threat actor believed to have origins in Pakistan.

SloppyLemming’s targets include government, law enforcement, energy, education, telecommunications, and technology sectors in countries such as Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.

The attack strategy typically involves spear-phishing emails designed to create a sense of urgency, prompting recipients to click on a malicious link claiming immediate action is required. These links lead to credential harvesting pages, allowing the attackers to gain unauthorized access to targeted email accounts.

Cloudflare has identified the use of a custom tool named CloudPhish, which creates malicious Cloudflare Workers to handle credential logging and exfiltration. The group has also exploited similar techniques to capture Google OAuth tokens and utilized malicious RAR archives exploiting a WinRAR vulnerability (CVE-2023-38831) to achieve remote code execution. These archives contain executables that, in addition to displaying a decoy document, load “CRYPTSP.dll” to download a remote access trojan hosted on Dropbox.

Last year, cybersecurity firm SEQRITE reported a similar campaign by SideCopy targeting Indian government and defense sectors with Ares RAT distributed via ZIP archives exploiting the same vulnerability.

Another method employed by SloppyLemming involves spear-phishing lures that direct victims to a fake website mimicking the Punjab Information Technology Board (PITB) in Pakistan. Visitors are then redirected to another site containing a malicious URL file, which downloads an executable named PITB-JR5124.exe. This file, a legitimate executable, is used to sideload a rogue DLL (profapi.dll) that communicates with a Cloudflare Worker. These Workers act as intermediaries, relaying requests to the primary C2 domain (“aljazeerak[.]online”).

Cloudflare has observed targeted efforts by SloppyLemming against Pakistani police departments and other law enforcement agencies, noting indications of attempts to compromise entities involved in the operation and maintenance of Pakistan’s only nuclear power facility.

Other credential harvesting targets include government and military organizations in Sri Lanka and Bangladesh, as well as Chinese energy and academic sector entities to a lesser extent.