A newly identified cyber espionage campaign attributed to an India-nexus threat actor has targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka, according to cybersecurity researchers.
The findings were disclosed this week by Arctic Wolf, which named the threat group SloppyLemming and linked its activity to previously observed malicious behavior that expanded over recent months. The group was uncovered by Cloudflare back in 2024. According to Cloudflare:
The actor predominantly relies on open source adversary emulation frameworks, such as Cobalt Strike, Havoc, and others. Based on Cloudflare’s visibility, the actor predominantly targets within Asia. Pakistan is a primary target for SloppyLemming; however, the actor also routinely targets Bangladesh, Indonesia, Sri Lanka, China, and Nepal. Targeted sectors predominantly consist of government entities within Pakistan.
Arctic Wolf said its investigation showed the operation as an extension of activity first flagged by Cloudflare in September 2024, when similar intrusions were observed in the region. The campaign, described as espionage-oriented, deployed tactics typical of Advanced Persistent Threat (APT) actors, including network reconnaissance, potential credential harvesting and exploitation of vulnerable services to sustain covert access to targeted systems.
The SloppyLemming campaign is part of a broader pattern of digital skirmishes across South Asia in recent years. Earlier reports from threat intelligence firms have highlighted multiple instances of sophisticated cyber operations impacting India and Pakistan. For example, APT36, also known as Transparent Tribe, a Pakistan-linked APT group, has been implicated in ongoing espionage campaigns against Indian government and strategic institutions, including the use of credential-stealing malware and phishing lures.
Similarly, Maharashtra Cyber in India reported that seven Pakistan-allied APT groups attempted more than 1.5 million cyber attacks on Indian critical infrastructure following the 2025 India-Pakistan military conflict, although only around 150 attacks succeeded. The report detailed activities ranging from website defacement to distributed denial-of-service attacks and malware injections, illustrating the high volume of digital conflict even if many attempts failed.
CloudSEK researchers have cautioned that public claims of high numbers of successful breaches often exaggerate actual impact, finding that many alleged Pakistan-linked hacktivist claims involved minimal disruption and reused data or superficial defacements. Despite this, APT36’s use of Crimson RAT malware demonstrates a level of operational sophistication aimed at espionage and information theft.
Threat actors linked to South Asian networks frequently exploit geopolitical tensions for motivation. During battles between India and Pakistan over territorial disputes in 2025, cyber operations surged in tandem with conventional hostilities, with attacks on government portals, defense networks and educational institutions.
Analysts say the digital front increasingly reflects geopolitical disputes, with attackers leveraging DDoS, spear-phishing and credential theft to pursue strategic objectives while complicating attribution.
