Ethical Hacking News
A sophisticated threat actor known as ShadowSilk has been identified, targeting government entities across Central Asia and APAC. The group leverages various tactics, including spear-phishing emails, custom loaders hidden behind Telegram bots, and modifications to the Windows Registry to achieve persistence. With nearly three dozen victims identified, this complex cyber threat actor poses a significant risk to government sectors in the region.
ShadowSilk is a sophisticated threat actor targeting government entities across Central Asia and APAC, with nearly three dozen victims identified. The group is believed to have originated from YoroTrooper, SturgeonPhisher, and Silent Lynx, with Russian-speaking developers and Chinese-speaking operators collaborating on operations. ShadowSilk leverages tactics like spear-phishing emails, custom loaders, and Windows Registry modifications to achieve persistence. The group's arsenal includes public exploits for Drupal and WordPress plugins, as well as a diverse toolkit of reconnaissance and penetration-testing tools. ShadowSilk incorporates JRAT and Morf Project web panels to manage infected devices and deploys web shells like ANTSWORD and FinalShell. The group uses Cobalt Strike and Metasploit modules to exfiltrate data, with a custom PowerShell script scanning for files and transmitting them to an external server. The involvement of Russian- and Chinese-speaking operators suggests Kazakhstani origins for the YoroTrooper group, but ShadowSilk remains highly active with new victims identified as recently as July.
In a recent surge of activity, a sophisticated threat actor known as ShadowSilk has been identified, targeting government entities across Central Asia and the Asia-Pacific region (APAC). This complex cyber threat actor is believed to have originated from a cluster of threat actors dubbed YoroTrooper, SturgeonPhisher, and Silent Lynx. The group's primary goal appears to be data exfiltration, with nearly three dozen victims identified in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan.
According to Group-IB researchers, the operation is run by a bilingual crew consisting of Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions. This collaboration results in a nimble, multi-regional threat profile, with the exact depth and nature of cooperation between these two sub-groups remaining uncertain.
The ShadowSilk group leverages various tactics, including spear-phishing emails, custom loaders hidden behind Telegram bots, and modifications to the Windows Registry to achieve persistence. Their arsenal also includes public exploits for Drupal and the WP-Automatic WordPress plugin, as well as a diverse toolkit comprising reconnaissance and penetration-testing tools such as FOFA, Fscan, Gobuster, Dirsearch, Metasploit, and Cobalt Strike.
Furthermore, ShadowSilk incorporates JRAT and Morf Project web panels acquired from darknet forums for managing infected devices. Another notable aspect of their tactics is the compromise of legitimate websites to host malicious payloads. The group's methods also involve deploying web shells such as ANTSWORD, Behinder, Godzilla, and FinalShell, Sharp-based post-exploitation tools, and tunneling utilities like Resocks and Chisel.
Once inside a network, ShadowSilk deploys a Python-based remote access trojan (RAT) that can receive commands and exfiltrate data to a Telegram bot. This allows the malicious traffic to be disguised as legitimate messenger activity. Cobalt Strike and Metasploit modules are used to grab screenshots and webcam pictures, while a custom PowerShell script scans for files matching a predefined list of extensions and copies them into a ZIP archive, which is then transmitted to an external server.
The involvement of both Russian- and Chinese-speaking operators suggests that the YoroTrooper group may be comprised of individuals from Kazakhstan. However, recent behavior indicates that the ShadowSilk group remains highly active, with new victims identified as recently as July.
This incident highlights the importance of monitoring infrastructure to prevent long-term compromise and data exfiltration in government sectors across Central Asia and APAC. The ShadowSilk threat actor's evolution demonstrates the complexity and adaptability of modern cyber threats, emphasizing the need for effective security measures and threat intelligence to mitigate such risks.
Related Information:
https://www.ethicalhackingnews.com/articles/ShadowSilk-A-Complex-Cyber-Threat-Actor-Targeting-Government-Entities-Across-Central-Asia-and-APAC-ehn.shtml
https://thehackernews.com/2025/08/shadowsilk-hits-36-government-targets.html
https://www.newsminimalist.com/articles/shadowsilk-hit-36-government-targets-using-telegram-7a20ab91
https://techhorizonvn.com/apac-cybersecurity-intelligence-report-january-2025.html
https://www.cyberstash.com/silent-lynx-an-emerging-apt-group/
https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/
Published: Wed Aug 27 12:26:32 2025 by llama3.2 3B Q4_K_M
