TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Threat Intelligence Qualcomm Zero-Day Exploited in Targeted Android Attacks Qualcomm Zero-Day Exploited in Targeted Android Attacks by Alexander Culafi Mar 3, 2026 3 Min Read Application Security Critical OpenClaw Vulnerability Exposes AI Agent Risks Critical OpenClaw Vulnerability Exposes AI Agent Risks by Jai Vijayan Mar 2, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Threat Intelligence Dark Reading Confidential: This Threat Hunter Helped Cops Bust Up An African Cybercrime Syndicate Dark Reading Confidential: This Threat Hunter Helped Cops Bust Up An African Cybercrime Syndicate by Dark Reading Staff Mar 4, 2026 The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Cyberattacks & Data Breaches Vulnerabilities & Threats News Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure India-nexus cyber threat actors are growing more active and sophisticated, using custom tools coded in Rust and cloud-based command and control. Robert Lemos , Contributing Writer March 3, 2026 5 Min Read Source: Maximillian cabinet via Shutterstock The India-linked advanced persistent threat (APT) "Sloppy Lemming" has significantly increased its operational tempo over the past year, adopting more sophisticated tactics to target nuclear-regulatory organizations, defense firms, and critical infrastructure in Pakistan and Bangladesh, among other South and Southeast Asian targets. The group has evolved from using off-the-shelf red teaming tools like Cobalt Strike and Havoc C2 to developing its own custom tooling written in the Rust programming language, while expanding its command-and-control (C2) infrastructure — based on Cloudflare's serverless Workers service — to at least 112 domains, up from 13 domains a year ago, according to cybersecurity firm Arctic Fox. The group's tactics, techniques, and procedures (TTPs) show how cyber-espionage groups working for specific nations in the region have become more adept at their craft, says Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf. Related: As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks "Years ago, we would only see some nation-states groups, some cybercriminal groups, and maybe some hacktivist groups in the region ," he says. "What we're seeing now is more groups and more noise and more people trying to get [critical] information and more regionalized cyber-espionage campaigns as well." The threat report comes as tensions in South Asia have increased significantly in the past few weeks. On March 3, Pakistan's president, Asif Ali Zardari, claimed that India is preparing for military actions and called for the country to "move away from the war theatre," according to reports . In late February, following terrorist bombings at a mosque and a security post inside Pakistan , the country's military struck at alleged militant bases inside Afghanistan. Similarly, India used air attacks to strike at targets inside Pakistan during Operation Sindoor in May 2025. India-Backed Cyber Operations Ramp Up As tensions in the Asia Pacific region climb, cyber-operations have become much more normalized. Unlike Chinese or Russian threat groups, which often use zero-day exploits to attack edge devices, the India-linked cyber-espionage groups rely heavily on phishing and credential theft, according to Arctic Wolf's threat report this week. Sloppy Lemming, which is also connected to groups identified by other threat researchers as Outrider Tiger and Fishing Elephant, uses two attack chains: one uses a PDF lure to redirect victims to an attack; and the other uses macro-enabled Excel documents to deliver a Rust-based keylogger, Arctic Wolf stated. Related: Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount However, at least a handful of Sloppy Lemming-related groups appear to be taking actions on behalf of India, according to cybersecurity firms. Messaging security provider Proofpoint tracks five known groups linked to India , including TA397, which the company's researchers also called Bitter, a threat group that has some overlap with Sloppy Lemming. Meanwhile two others, TA399 and TA395 — aka Sidewinder and Frantic Tiger, respectively — share lure themes, compromised accounts, and sometimes target the same individuals, Proofpoint researchers tell Dark Reading. "This pattern suggests shared resourcing and/or coordinated tasking across some India-aligned clusters, even if the teams may be distinct," the researchers stated. These could be different teams within an intelligence organization, different contractors working with the same government client, or just a reuse of resources across operations, they said. There are some distinct entities however. Kaspersky tracks a number of India-nexus groups, including Fishing Elephant, which Arctic Wolf also linked to Sloppy Lemming; but two other groups, Dropping Elephant and Mysterious Elephant, do not overlap with Sloppy Lemming, says Noushin Shabab, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT). Related: Latin America's Cyber Maturity Lags Threat Landscape "They appear to be separate entities with their own unique characteristics, and we have not found any evidence to suggest that they are operational sub-groups or the same actor," he says. "This distinction is important, as it implies that each group has its own goals, motivations, and areas of focus, and should be tracked and analyzed separately to fully understand their activities and potential impacts." Mysterious Elephant primarily targets diplomatic, military, and defense institutions in Pakistan and Bangladesh, according to Kaspersky. Slopping Lemming and Fishing Elephant instead focus on nuclear, defense, logistics, and telecommunications providers, according to Arctic Wolf. Sloppy Lemming Lives Up to Its Name Aside from Sloppy Lemming, other prominent actors in the region have started using Rust, as well as other languages that make reverse engineering more challenging, says Kaspersky's Shabab. The use of Cloudflare Workers, Pages, and protected domains are also on the rise among Indian APT groups as a way of hosting attacker-controlled pages and C2 servers, he adds. "This expansion into serverless and edge-hosted C2 infrastructure suggests that attackers are seeking to leverage the anonymity and scalability offered by cloud services to evade detection and improve their operational efficiency," Shabab says. "The use of these cloud-based services allows attackers to dynamically deliver payloads, obscure their infrastructure, and evade traditional security controls." Sloppy Lemming's tactics, which include using lures with Excel macros, suggest they are targeting organizations with poor security hygiene or those using pirated software, Arctic Wolf's Valenzuela says. Overall, while they showed some signs of increasing sophistication — their use of Rust, custom tools, and a C2 channel using Cloudflare Workers — the group has also made significant head-smacking mistakes, such as operating some of the C2 infrastructure with open directories, which allowed threat researchers to gain access, he says. "Sometimes we always talk about how sophisticated these adversaries may be, but the operational security that these guys have is not on par with a lot of other groups that are usually doing cyber-espionage campaigns," he says. "They continue to be Sloppy Lemming." Read more about: DR Global Asia Pacific About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditi