SOC Prime Bias: Critical

18 Jun 2026 14:28 UTC
newspaper icon picussecurity.com

SloppyLemming Attack Techniques & BurrowShell Backdoor Explained

Author Photo
SOC Prime Team linkedin icon Follow
SloppyLemming Attack Techniques & BurrowShell Backdoor Explained
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

SloppyLemming is a cyber-espionage group targeting critical industries across South and East Asia. The group relies on spearphishing to deliver custom malware, including the BurrowShell backdoor and a Rust-based keylogger. It also makes extensive use of Cloudflare Workers to support command-and-control activity and credential theft operations.

Investigation

The report describes a multi-stage campaign involving malicious Excel macros and spoofed authentication portals. Researchers identified Cloudflare subdomains crafted to imitate government entities and analyzed the group’s custom shellcode together with its keylogging capabilities. The investigation also showed how SloppyLemming evades static analysis through dynamic API resolution and RC4-encrypted payloads.

Mitigation

Organizations should deploy strong email filtering to block malicious attachments and phishing links before delivery. Security teams should monitor for unauthorized Run key modifications and suspicious parent-child process relationships, including NGenTask.exe loading unexpected DLLs. Detection should also cover unusual Cloudflare Worker traffic and any signs of unauthorized OAuth token use.

Response

If this activity is detected, isolate affected systems immediately to stop further exfiltration through the command-and-control channel. Perform memory forensics to recover the BurrowShell shellcode and determine the extent of compromise. Reset credentials for any accounts that may have been exposed through the keylogger or OAuth interception, with particular attention to Google accounts.

"graph TB %% Class Definitions Section classDef initial_access fill:#f96,stroke:#333,stroke-width:2px classDef execution fill:#3498db,stroke:#333,stroke-width:2px classDef persistence fill:#2ecc71,stroke:#333,stroke-width:2px classDef evasion fill:#e74c3c,stroke:#333,stroke-width:2px classDef credential_access fill:#9b59b6,stroke:#333,stroke-width:2px classDef discovery fill:#f1c40f,stroke:#333,stroke-width:2px classDef collection fill:#1abc9c,stroke:#333,stroke-width:2px classDef command_control fill:#34495e,stroke:#333,stroke-width:2px classDef exfiltration fill:#d35400,stroke:#333,stroke-width:2px %% Initial Access Nodes ia_spearphish_attach["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Malicious Microsoft Excel spreadsheets<br/>containing VBA macros."] class ia_spearphish_attach initial_access ia_spearphish_link["<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/>Deceptive webmail portals or<br/>blurred PDF lures."] class ia_spearphish_link initial_access %% Execution Nodes ex_vba_interpreter["<b>Action</b> – <b>T1059.005 Command and Scripting Interpreter: Visual Basic</b><br/>Macros execute to download and run<br/>malicious files like audiodg.exe and sppc.dll."] class ex_vba_interpreter execution %% Persistence Nodes pe_registry_run["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/>Registry entry created disguised<br/>as OneDrive."] class pe_registry_run persistence %% Defense Evasion Nodes ev_api_hashing["<b>Action</b> – <b>T1027.007 Obfuscated Files or Information: Dynamic API Resolution</b><br/>BurrowShell backdoor resolves<br/>Windows APIs via hashing."] class ev_api_hashing evasion ev_rc4_encryption["<b>Action</b> – <b>T1027.013 Obfuscated Files or Information: Encrypted/Encoded File</b><br/>Shellcode hidden as an<br/>RC4-encrypted blob."] class ev_rc4_encryption evasion ev_masquerading["<b>Action</b> – <b>T1036.005 Masquerading: Match Legitimate Name or Location</b><br/>Files renamed to system32.dll<br/>or mscorsvc.dll."] class ev_masquerading evasion ev_dll_hijack["<b>Action</b> – <b>T1574.001 Hijack Execution Flow: DLL Search Order Hijacking</b><br/>Hijacking execution flow via<br/>legitimate binaries like NGenTask.exe."] class ev_dll_hijack evasion %% Credential Access Nodes ca_keylogger["<b>Action</b> – <b>T1056 Input Capture: Keylogging</b><br/>Rust-based keylogger captures<br/>keystrokes and Google OAuth tokens."] class ca_keylogger credential_access %% Discovery Nodes di_sys_info["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>BurrowShell collects system details<br/>including computer name and username."] class di_sys_info discovery %% Collection Nodes co_archive_data["<b>Action</b> – <b>T1560 Archive Collected Data</b><br/>Python-based web drivers iterate<br/>through and download email attachments."] class co_archive_data collection %% Command and Control Nodes cc_web_protocols["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>HTTPS communication with<br/>Cloudflare Workers-hosted C2."] class cc_web_protocols command_control %% Exfiltration Nodes ex_c2_channel["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Sending captured data, files,<br/>and screen captures back to attackers."] class ex_c2_channel exfiltration %% Attack Flow Connections %% Initial Access to Execution ia_spearphish_attach –>|leads_to| ex_vba_interpreter ia_spearphish_link –>|leads_to| ex_vba_interpreter %% Execution to Persistence ex_vba_interpreter –>|establishes| pe_registry_run %% Execution to Evasion ex_vba_interpreter –>|utilizes| ev_api_hashing ex_vba_interpreter –>|utilizes| ev_rc4_encryption ex_vba_interpreter –>|utilizes| ev_masquerading ex_vba_interpreter –>|utilizes| ev_dll_hijack %% Evasion/Execution to Credential Access ex_vba_interpreter –>|deploys| ca_keylogger %% Credential Access to Discovery ca_keylogger –>|triggers| di_sys_info %% Discovery to Collection di_sys_info –>|precedes| co_archive_data %% Collection to C2 co_archive_data –>|communicates_via| cc_web_protocols %% C2 to Exfiltration cc_web_protocols –>|facilitates| ex_c2_channel "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary seeks to maintain persistence and execute code stealthily. They attempt to hijack the audiodg.exe process flow by passing mscorsvc.dll as an argument, a known SloppyLemming technique. To further complicate detection, they may also attempt to mask their presence by naming a secondary malicious process OneDrive.exe in the command string. The goal is to trigger the detection rule by matching the specific combination of audiodg.exe and the suspicious DLL or masqueraded name.

  • Regression Test Script:

    # Simulation Script: SloppyLemming TTP Emulation
# Scenario 1: Hijacking audiodg.exe with mscorsvc.dll
Write-Host "[+] Simulating audiodg.exe hijacking with mscorsvc.dll..."
Start-Process "cmd.exe" -ArgumentList "/c audiodg.exe mscorsvc.dll" -WindowStyle Hidden

# Scenario 2: Masquerading via OneDrive.exe in command line
Write-Host "[+] Simulating audiodg.exe execution with OneDrive.exe masquerading..."
Start-Process "cmd.exe" -ArgumentList "/c audiodg.exe --path C:UsersPublicOneDrive.exe" -WindowStyle Hidden

  • Cleanup Commands:

    # Cleanup: No permanent artifacts are created by the cmd /c commands, 
# but we ensure no lingering suspicious processes exist.
Stop-Process -Name "cmd" -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free