A sophisticated cyber espionage group suspected of alignment with Indian interests has conducted a sustained, high-value intelligence-gathering operation against Pakistan’s nuclear regulatory bodies, defense organizations, navy, logistics networks, and telecommunications providers, according to new research from cybersecurity firm Arctic Wolf.
Wisdom Imbibe Insight
Modern rivalry no longer begins with missiles — it begins with metadata. Cyber espionage against nuclear and defense systems signals a shift: intelligence dominance is the first battlefield. In the AI era, silent access to networks can outweigh visible firepower. The future of deterrence may depend less on weapons stockpiles and more on invisible digital footholds.
The campaign, active from January 2025 through January 2026, also hit critical infrastructure in Bangladesh (energy utilities and financial institutions) and, to a lesser extent, defense-related entities in Sri Lanka. Dubbed SloppyLemming (also tracked as Outrider Tiger by CrowdStrike), the actor deployed novel malware and evasive techniques in what Arctic Wolf describes as a clear reflection of regional strategic competition in South Asia.
Scope and High-Value Targets in Pakistan
The operation focused heavily on entities central to Pakistan’s national security and nuclear posture:
- Pakistan Navy — Likely seeking insights into naval capabilities, fleet movements, or submarine programs.
- National Logistics Corporation (NLC) — A key defense logistics arm responsible for military supply chains.
- Pakistan Nuclear Regulatory Authority (PNRA) — The civilian regulator overseeing nuclear safety, licensing, and oversight of facilities.
- Major telecommunications providers such as SCO (Special Communications Organization) and PTCL (Pakistan Telecommunication Company Limited) — Providing potential access to communications metadata, interception points, or backbone infrastructure.
Arctic Wolf emphasized that these targets “align with intelligence collection priorities consistent with regional strategic competition,” particularly given Pakistan’s nuclear arsenal and ongoing tensions with India.
In Bangladesh, the group infiltrated energy distribution companies (DESCO, PGCB) and financial institutions, suggesting interest in economic stability, power grid vulnerabilities, or financial flows that could support broader regional influence operations.
Evolving Tactics and Toolset
SloppyLemming relied on spear-phishing as the primary initial access vector, using two main methods:
- Malicious PDF documents embedding URLs that led to ClickOnce application files for payload delivery.
- Macro-enabled Excel spreadsheets that directly downloaded malicious binaries.
Command-and-control (C2) infrastructure leveraged 112 unique Cloudflare Workers domains impersonating legitimate Pakistani and Bangladeshi government entities — a technique that blends into normal web traffic and evades detection.
A notable evolution in the group’s capabilities was the adoption of Rust-based malware, combined with established tools like the Havoc C2 framework and Cobalt Strike. Arctic Wolf highlighted this shift as evidence of growing technical sophistication, moving beyond simpler scripts to more resilient, cross-platform payloads.
The campaign builds on earlier public attributions: Cloudflare’s CloudForce One team first exposed SloppyLemming in September 2024, while CrowdStrike has tracked the actor since at least 2021.
Geopolitical Backdrop: Cyber as an Extension of Rivalry
The timing and targets fit into a broader pattern of cyber skirmishes between India and Pakistan. Key context includes:
- Missile exchanges in May 2025 — the most serious direct military escalation between the two nuclear powers in recent decades.
- Parallel surge in hacktivist activity and state-linked espionage on both sides.
- Increasing integration of cyber and AI capabilities into conventional military planning, as noted in a November 2025 Stimson Center analysis.
Such operations raise risks to strategic stability: espionage on nuclear regulators could inform targeting or sabotage planning, while access to telecoms enables surveillance or disruption during crises.
Arctic Wolf concluded by urging organizations in defense, nuclear, energy, telecom, and financial sectors across South Asia to treat themselves as likely targets and strengthen defenses — including phishing awareness, endpoint detection, network segmentation, and monitoring for anomalous Cloudflare Worker traffic.
As India-Pakistan tensions remain elevated amid ongoing regional flashpoints (including the U.S.-Iran conflict), cyber operations like SloppyLemming’s underscore how digital espionage has become a persistent, low-visibility front in South Asian strategic competition.
Recommended Articles: