UrsaClimb Logo

Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure

Dark Reading
by Robert Lemos
March 3, 2026
AI-Generated Deep Dive Summary
The Indian-linked advanced persistent threat (APT) group "Sloppy Lemming" has significantly increased its activity and sophistication in recent years, targeting nuclear-regulatory organizations, defense firms, and critical infrastructure across South and Southeast Asia. Unlike earlier operations, this group has evolved from using off-the-shelf tools like Cobalt Strike to developing custom tools coded in Rust, a programming language known for its security features. Additionally, Sloppy Lemming has expanded its command-and-control (C2) infrastructure, leveraging Cloudflare's serverless Workers service to manage over 112 domains—a marked increase from the 13 domains it controlled just a year ago. The group's tactics reflect a broader trend of cyber-espionage groups in South Asia becoming more adept and regionally focused. This shift is particularly evident as tensions between India and Pakistan have escalated, with both countries engaging in military strikes and cyber operations. Sloppy Lemming employs two primary attack chains: one uses malicious PDFs to redirect victims to an attack, while the other leverages macro-enabled Excel documents to deploy a Rust-based keylogger. These tactics contrast with those of Chinese or Russian groups, which often rely on zero-day exploits targeting edge devices. The rise of such cyber-espionage campaigns highlights the growing normalization of cyber operations in regional conflicts, particularly in South Asia. While some groups may be distinct teams within intelligence organizations or contractors working for the same government, their shared tactics and resources suggest a coordinated effort to gather critical information. This evolution underscores the increasing sophistication of India-linked cyber threats and raises concerns about the vulnerability of critical infrastructure and national security in the region.
Verticals
securitytech
Originally published on Dark Reading on 3/3/2026