Today > vulnerabilities   -   You can now download lists of IOCs here!

Unraveling SloppyLemming’s Operations Across South Asia

Sept. 27, 2024, 2:18 p.m.

Tags
cobalt strike
havoc
2024-09-27
nekrowire
External References
Description

An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Bangladesh, Sri Lanka, and China. SloppyLemming employs phishing tactics, exploits vulnerabilities, and utilizes various malware tools. The actor's lack of operational security has provided insights into their tooling and infrastructure. Cloudflare has taken steps to disrupt the actor's operations and collaborated with industry partners to mitigate the threat.

Date

Published: Sept. 27, 2024, 1:49 p.m.

Created: Sept. 27, 2024, 1:49 p.m.

Modified: Sept. 27, 2024, 2:18 p.m.

Indicators

e3bc0246ab95b527aa86e52e62f554ab8db04523f35aee50b508d0fa48ab49f7

fb4397c837c7e401712764f953723153d5bb462bc944518959288ea47dec6446

b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000

ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d

b53c7b13a4af47c3976bfad63fe9c5fd988dc0807dd040e8d63d790b65394afb

a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b216327591b1e1113391c609fd17

82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211

95cf90b2610c6f0ec67c1d669cd252468f6c3b8eaeea588f342d2bd74d90e093

3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432

06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80

337ca61e23bcb86f26dc40a36316621b74ec6f29a55820899ed30b03b69a6025

8.222.235.145

8.219.169.226

8.219.114.124

47.83.23.246

47.76.61.241

47.76.181.76

47.74.87.155

47.74.84.168

47.245.56.29

47.245.42.208

47.245.2.77

47.245.114.11

47.237.25.198

47.237.20.201

47.237.20.135

47.237.105.113

47.236.65.190

37.27.41.167

208.85.22.252

207.148.73.145

159.65.6.251

159.253.120.25

47.254.229.56

47.245.126.218

45.137.116.8

185.249.198.218

149.28.153.250

142.93.139.164

139.59.109.136

www.crec-bd.site

www.cloudlflares.com

www.168-gov.info

zero-berlin-covenant.apl-org.online

update.apl-org.online

static.opensecurity-legacy.com

sensors.opensecurity-legacy.com

secure.cloudlflares.com

secure.cflayerprotection.com

redzone2.apl-org.online

sco.zapto.org

redzone.apl-org.online

pitb.zapto.org

owa-spamcheck.apl-org.online

openkm.paknavy-pk.org

oil.hascolgov.info

monitor.opensecurity-legacy.com

mailpitb-securedocs.zapto.org

mail.pakistangov.com

mail.apl-com.icu

m.opensecurity-legacy.com

login.apl-org.online

locall.hascolgov.info

localhost.apl-com.icu

locaal.navybd-gov.info

hurr.zapto.org

hesco.hascolgov.info

frontend-m.opensecurity-legacy.com

fonts.apl-org.online

docs.apl-com.icu

dawn.apl-org.online

data.cloudlflares.com

confidential.zapto.org

cloud.cflayerprotection.com

cloud.adobefileshare.com

browser.apl-org.online

blabla.apl-com.icu

bin.opensecurity-legacy.com

api.opensecurity-legacy.com

acrobat.paknavy-pk.org

accounts.opensecurity-legacy.com

updpcn.online

quran-books.store

paknavy-pk.org

opensecurity-legacy.com

mofapak.info

modp-pk.org

link.click

jammycanonicalupdates.cloud

itsupport-gov.com

humariweb.info

email.click

crec-bd.site

hit-pk.org

cloudlflares.com

cflayerprotection.com

Download all indicators here!

Attack Patterns

NekroWire

Havoc

Cobalt Strike - S0154

SloppyLemming

T1585

T1586

T1547.001

T1189

T1573

T1218

T1071

T1102

T1055

T1219

T1036

T1204

T1140

T1132

T1027

T1584

T1566

T1090

T1059

CVE-2023-38831

Additional Informations

Technology

Energy

Defense

Telecommunications

Government

Sri Lanka

Nepal

Bangladesh

Australia

China

Indonesia

Pakistan