Arctic Wolf Links SloppyLemming Campaign to Rust Keylogger and BurrowShell Backdoor

Arctic Wolf Labs says a yearlong espionage campaign spanning January 2025 to January 2026 deployed dual malware chains: a Rust-based keylogger and an in-memory x64 shellcode backdoor called BurrowShell. “Arctic Wolf assesses with moderate confidence that this activity is attributable to SloppyLemming, based on continued exploitation of Cloudflare Workers infrastructure with government‑themed typo‑squatting patterns, deployment of the Havoc C2 framework previously linked to this actor, DLL sideloading techniques consistent with documented tradecraft, and victimology focused on South Asian government and critical infrastructure entities matching established targeting priorities,” Arctic Wolf wrote in its investigative summary.

BurrowShell is described in Arctic Wolf’s technical write-up and repeated in industry summaries as a full-featured backdoor used for C2 and network pivoting. “BurrowShell is a full‑featured backdoor providing the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling,” Arctic Wolf said. Industrialcyber Co. notes the implant runs as in-memory x64 shellcode, executes fifteen distinct commands, and supports lateral movement via SOCKS proxy tunneling; TheHackerNews reproduced Arctic Wolf’s finding that the implant “masquerades its command-and-control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection.”

The Rust-based implant functions as an information-stealing RAT with keylogging at its core and expanded reconnaissance features. Industrialcyber Co. documents remote command execution, file operations, port scanning, and network enumeration as built-in capabilities, and TheHackerNews reports the keylogger was dropped by macro-enabled Excel documents in at least one attack chain. Arctic Wolf published a targeted detection rule for this tool named targeted_SloppyLemming_Rust_Keylogger_RAT, with metadata showing creation_date and last_modified as 2026-01-08 and hash256 4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754. The rule includes strings such as "=== KEYLOGGER SUMMARY ===" and "\\.cargo\\registry", the latter consistent with Rust-built artifacts.

Operational tradecraft relied on spear-phishing and multiple execution chains. Industrialcyber Co. and Arctic Wolf describe a PDF-to-ClickOnce vector where malicious PDFs redirect victims to ClickOnce application manifest files that orchestrate multi-component payloads, while a second chain uses macro-laden Excel spreadsheets to download and execute the keylogger. Arctic Wolf’s assessment highlights continued abuse of Cloudflare Workers infrastructure and government-themed typo-squatting patterns; a Reddit summary additionally claimed “112 Cloudflare Workers domains registered over one year” as an infrastructure increase, a figure that community posts reported but that requires independent verification.

Researchers were able to glean artifacts partly because of operator mistakes. Arctic Wolf’s analyst Valenzuela told DarkReading that lures with Excel macros “suggest they are targeting organizations with poor security hygiene or those using pirated software,” and that operators made mistakes such as “operating some of the C2 infrastructure with open directories, which allowed threat researchers to gain access.” Arctic Wolf says it has acted on the findings: “Arctic Wolf Labs has leveraged threat intelligence around SloppyLemming activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers.”

Industrialcyber Co. frames the campaign as a continuation and evolution of activity Cloudflare flagged in September 2024, noting expanded infrastructure and tooling while maintaining targeting focused on Pakistani and Bangladeshi government and critical infrastructure entities. Arctic Wolf’s March 2, 2026 report provides the core attribution and technical artifacts now driving detections and YARA signatures, while community reports and secondary analyses add context on scale and operator errors that defenders will want to verify and track.