An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2). Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant. "Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries," Cloudflare said in an analysis. SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been linked to SideCopy, a threat actor likely of Pakistani origin. Targets of the SloppyLemming's activity span government, law enforcement, energy, education, telecommunications, and technology entities located in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia. The attack chains involve sending spear-phishing emails to targets that aim to trick recipients into clicking on a malicious link by inducing a false sense of urgency, claiming that they need to complete a mandatory process within the next 24 hours. Clicking on the URL takes the victim to a credential harvesting page, which then serves as a mechanism for the threat actor to gain unauthorized access to…Read More
References
Back to Main