BurrowShell
BurrowShell is a custom x64 shellcode-based backdoor (full-featured implant) used in cyber-espionage activity attributed with moderate confidence by Arctic Wolf to the India-nexus threat actor SloppyLemming (aka Outrider Tiger / Fishing Elephant). It was observed in campaigns targeting government entities and critical infrastructure operators in Pakistan and Bangladesh (with related reporting also referencing Sri Lanka) during roughly January 2025–January 2026.
Delivery/execution (observed):
- Spear-phishing using malicious PDF lures and macro-enabled Excel documents.
- A primary chain used PDF decoys containing embedded URLs that redirected victims to ClickOnce application manifests.
- ClickOnce delivered a legitimate Microsoft .NET runtime executable (NGenTask.exe) renamed to OneDrive.exe and a malicious loader DLL (mscorsvc.dll). Execution was achieved via DLL side-loading / DLL search order hijacking.
- The loader RC4-decrypted an encrypted payload blob (e.g., system32.dll) using a hardcoded 32-character key and executed BurrowShell in-memory as x64 shellcode.
- The loader established persistence via a Run key entry under Software\Microsoft\Windows\CurrentVersion\Run for the renamed legitimate executable.
Capabilities (as described in reporting):
- File system manipulation / file operations.
- Remote shell / command execution.
- Screenshot capture.
- Network tunneling via SOCKS proxy.
- Defense evasion/analysis resistance: dynamic Windows API resolution via hashing of exported function names.
Command-and-control (as described in reporting):
- Uses WinHTTP over HTTPS and masquerades traffic as Windows Update, including a Windows-Update-Agent/10.0.10011.Client-Protocol/2.50 User-Agent.
- Communicates with Cloudflare Workers-hosted infrastructure (e.g., www[.]gov-pk[.]workers[.]dev:443) and uses RC4-protected payloads.
- Reported HTTP paths include /beta/deviceManagement/managedDevices (registration), /v10/WindowsUpdate/ClientWebService/ClientService.asmx/SyncUpdates (heartbeats), and an internal “OneCollector” status mechanism posting to /OneCollector/1.0/.
Associated infrastructure/IOCs explicitly mentioned in the content:
- Example lure URL: hxxps://webmail-pnra[.]gov-pk[.]workers[.]dev/ftp[.]pnra.org.application
- C2 domain: www[.]gov-pk[.]workers[.]dev
- Example file hashes tied to the BurrowShell delivery chain: PDF lure SHA-256 8faeea306a331d86ce1acb92c8028b4322efbd11a971379ba81a6b769ff5ac4b; OneDrive.exe (renamed NGenTask.exe) SHA-256 9fd133b11abcbbed33ccea71bd4743e8f35e42cd637fb763f5ab2a8fbb9b6261; loader mscorsvc.dll SHA-256 81d1a62c00724c1dfbc05a79ac4ae921c459350a2a4a93366c0842fadc40b011; encrypted payload blob system32.dll SHA-256 3dbf64da37616acbe16bc6bd06a320fed416c4c8ec37a04f811a32389af3d46c.
- RC4 key for BurrowShell payload decryption (as reported): boikztaigkuneapfvpesuabfmpxgwnad.
Targeting noted in the content includes Pakistani nuclear regulatory bodies, defense logistics, and telecommunications infrastructure, and Bangladeshi energy utilities and financial institutions, consistent with an intelligence-collection objective.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh
"...delivery of a malicious PDF holding malware known as BurrowShell — a backdoor that allows hackers to take screenshots and manipulate a file system."
"...executed a custom x64 shellcode implant that Arctic Wolf has named BurrowShell. BurrowShell is a full-featured backdoor providing the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling."
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"...continued exploitation of Cloudflare Workers infrastructure with government-themed typo-squatting patterns..."
“Two custom implants were identified – an in-memory x64 shellcode (BurrowShell)… The second implant is a Rust-based keylogger…”
Initial Access
2 techniques"One chain utilized spear-phishing emails containing PDF lures and macro-enabled Excel documents."
“PDF documents containing embedded malicious URLs that redirect victims to ClickOnce application manifest files…”
Execution
3 techniques"...macro-enabled Excel documents" and "Excel documents with malicious macros"
"These led victims to ClickOnce application manifests that deployed a malicious loader"
“Victims must click “Download file” button in PDF or enable macros in Excel.”
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
5 techniques“system32.dll (Encrypted Shellcode Payload)… an RC4-encrypted blob containing the final payload.”
“DLLs named mscorsvc.dll, sppc.dll, system32.dll to appear legitimate.”
"...employs RC4 encryption with a 32-character key for payload protection."
“PDF lure documents… redirected victims to ClickOnce application manifests…”
"...led victims to ClickOnce application manifests that deployed a malicious loader"
Discovery
3 techniquesLateral Movement
1 technique"...BurrowShell, a full-featured backdoor capable of file manipulation, remote shell execution..."
Collection
2 techniques"...providing the threat actor with file system manipulation, screenshot capture capabilities..."
“download… Base64-encodes contents, sends to C2… screenshot… Base64 encodes BMP data”
Command and Control
9 techniques"The implant masquerades its command-and-control (C2) traffic as Windows Update service communications..."
“initiates an outbound HTTPS connection… using the WinHTTP API… transmitted via HTTP POST…”
“can activate SOCKS-based tunneling… command set: socks_connect / socks_data / socks_close”
"...SOCKS proxy capabilities for network tunneling..."
“campaign leverages 112 unique Cloudflare Workers domains… for both payload delivery and C2 communication.”
"...deployed a malicious loader, which in turn executed BurrowShell"
“C2 communication over port 443 mimicking legitimate HTTPS.”
"...BurrowShell...capable of...network tunneling."
“establishes an outbound HTTPS connection… TLS-encrypted C2 communications.”
Exfiltration
1 technique“download Exfiltrate file… sends to C2… screenshot… sends to C2.”
Impact
1 techniqueRecent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Implant/backdoor (shell) used by the SloppyLemming campaign to provide remote access against targets in Pakistan and Bangladesh.
Backdoor/shell implant deployed by SloppyLemming in targeting of Pakistan and Bangladesh.
A full-featured backdoor used after an initial malicious loader, providing file manipulation, remote shell execution, and network tunneling capabilities.
A full-featured backdoor/shellcode implant that supports file system manipulation, screenshot capture, remote shell execution, and SOCKS proxying for network tunneling. It masquerades C2 traffic as Windows Update and uses RC4 encryption with a 32-character key.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.