A threat activity cluster known as ShadowSilk has been attributed to a fresh set of attacks targeting government entities within Central Asia and Asia-Pacific (APAC).
According to Group-IB, nearly three dozen victims have been identified, with the intrusions mainly geared towards data exfiltration. The hacking group shares toolset and infrastructural overlaps with campaigns undertaken by threat actors dubbed YoroTrooper, SturgeonPhisher, and Silent Lynx.
Victims of the group’s campaigns span Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, a majority of which are government organizations, and to a lesser extent, entities in the energy, manufacturing, retail, and transportation sectors.
“The operation is run by a bilingual crew – Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions, resulting in a nimble, multi-regional threat profile,” researchers Nikita Rostovcev and Sergei Turner said. “The exact depth and nature of cooperation of these two sub-groups remains still uncertain.”
YoroTrooper was first publicly documented by Cisco Talos in March 2023, detailing its attacks targeting government, energy, and international organizations across Europe since at least June 2022. The group is believed to be active as far back as 2021, per ESET.
A subsequent analysis later that year revealed that the hacking group likely consists of individuals from Kazakhstan based on their fluency in Kazakh and Russian, as well as what appeared to be deliberate efforts to avoid targeting entities in the country.
Then earlier this January, Seqrite Labs uncovered cyber attacks orchestrated by an adversary dubbed Silent Lynx that singled out various organizations in Kyrgyzstan and Turkmenistan. It also characterized the threat actor as having overlaps with YoroTrooper.
ShadowSilk represents the latest evolution of the threat actor, leveraging spear-phishing emails as the initial access vector to drop password-protected archives to drop a custom loader that hides command-and-control (C2) traffic behind Telegram bots to evade detection and deliver additional payloads. Persistence is achieved by modifying the Windows Registry to run them automatically after a system reboot.
The threat actor also employs public exploits for Drupal (CVE-2018-7600 and CVE-2018-76020 and the WP-Automatic WordPress plugin (CVE-2024-27956), alongside leveraging a diverse toolkit comprising reconnaissance and penetration-testing tools such as FOFA, Fscan, Gobuster, Dirsearch, Metasploit, and Cobalt Strike.
Furthermore, ShadowSilk has incorporated into its arsenal JRAT and Morf Project web panels acquired from darknet forums for managing infected devices, and a bespoke tool for stealing Chrome password storage files and the associated decryption key. Another notable aspect is its compromise of legitimate websites to host malicious payloads.
“Once inside a network, ShadowSilk deploys web shells [like ANTSWORD, Behinder, Godzilla, and FinalShell], Sharp-based post-exploitation tools, and tunneling utilities such as Resocks and Chisel to move laterally, escalate privileges and siphon data,” the researchers said.
The attacks have been observed paving the way for a Python-based remote access trojan (RAT) that can receive commands and exfiltrate data to a Telegram bot, thereby allowing the malicious traffic to be disguised as legitimate messenger activity. Cobalt Strike and Metasploit modules are used to grab screenshots and webcam pictures, while a custom PowerShell script scans for files matching a predefined list of extensions and copies them into a ZIP archive, which is then transmitted to an external server.
The Singaporean company has assessed that the operators of the YoroTrooper group are fluent in Russian, and are likely engaged in malware development and facilitating initial access.
However, a series of screenshots capturing one of the attackers’ workstations — featuring images of the active keyboard layout, automatic translation of Kyrgyzstan government websites into Chinese, and a Chinese language vulnerability scanner — indicates the involvement of a Chinese-speaking operator, it added.
“Recent behavior indicates that the group remains highly active, with new victims identified as recently as July,” Group-IB said. “ShadowSilk continues to focus on the government sector in Central Asia and the broader APAC region, underscoring the importance of monitoring its infrastructure to prevent long-term compromise and data exfiltration.”
