Cloudforce One discovered a not-so-slick operation by the hacker group SloppyLemming, which appears to be operating with more enthusiasm than skill.
These cybercriminals are hacking their way into South and East Asia with the ease of a bull in a china shop.
They've targeted critical sectors—government, energy, and telecommunications in countries such as Pakistan, Sri Lanka, Bangladesh, and China, using basic tools like Cobalt Strike and some assistance from popular cloud services.
Between late 2022 and now, SloppyLemming has thrown its digital weight around, primarily targeting Pakistan's government and law enforcement agencies.
Cloudforce One had a front-row seat to the group's espionage activities due to their lack of operational security (OPSEC), which was similar to watching a poorly executed magic trick with all the wires and mirrors exposed.
Cloudforce One person discovered that SloppyLemming's favorite trick is credential harvesting, and their phishing emails are as predictable as they come.
Their go-to email? A bogus IT department message threatens to suspend accounts unless users immediately update their credentials.
When an unsuspecting user falls for it, they're redirected to a fake portal where SloppyLemming collects login information.
In a particularly clumsy move, SloppyLemming employs a custom tool called “CloudPhish” to trick Cloudflare Workers into logging credentials and sending them directly to the group's Discord channel.
Yes, they use Discord, demonstrating yet again that they may not be the most professional around.
These amateurs also experiment with malware delivery, as evidenced by a recent July 2024 example in which they distributed a malware-laden RAR file named after a popular scanner app.
It's as if they're aiming for obvious phishing attempt of the year.
Despite targeting critical infrastructure such as police departments and nuclear facilities, SloppyLemming is unable to cover their tracks, allowing Cloudforce One to easily expose their malware operations.
Even as they broaden their efforts, hinting at potential government targeting in Australia, their reliance on cloud services such as Cloudflare, Dropbox, and Discord makes their actions easier to track.