A new threat activity cluster dubbed ShadowSilk has been tied to a string of cyber-espionage attacks against government organizations in Central Asia and the Asia-Pacific (APAC) region. According to Group-IB, the group has compromised nearly three dozen victims, primarily in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan. While government networks are the main targets, energy, manufacturing, retail, and transportation sectors have also been affected.
ShadowSilk appears to be a continuation or evolution of earlier campaigns linked to groups known as YoroTrooper, SturgeonPhisher, and Silent Lynx. Researchers noted that the operation is run by a bilingual crew—Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators handling intrusions—creating a hybrid threat profile that complicates attribution and highlights regional cooperation.
ShadowSilk’s campaign map. Source: group-ib.com.
The group’s attack chain begins with spear-phishing emails delivering password-protected archives. These drop a custom loader that conceals command-and-control (C2) traffic behind Telegram bots to bypass detection while installing further payloads. Persistence is maintained by modifying Windows Registry keys. ShadowSilk also exploits known vulnerabilities, including flaws in Drupal (CVE-2018-7600, CVE-2018-76020) and the WP-Automatic WordPress plugin (CVE-2024-27956), to expand its foothold.
Once inside a network, the attackers deploy web shells like ANTSWORD, Behinder, Godzilla, and FinalShell, along with post-exploitation tools such as Cobalt Strike, Metasploit, Gobuster, and Fscan. They use tunneling utilities like Resocks and Chisel for lateral movement and stealthy data transfers. ShadowSilk also relies on stolen or darknet-sourced tools, including JRAT, Morf Project web panels, and a bespoke Chrome credential-stealer. Infected devices are used for reconnaissance, privilege escalation, and large-scale data exfiltration.
The group’s tactics extend to disguising malicious traffic as legitimate communications by channeling exfiltrated data through Telegram bots. This includes screenshots, webcam captures, and bulk file theft via custom PowerShell scripts. Compromised legitimate websites have also been used to host malware, adding another layer of legitimacy to their delivery infrastructure.
Attribution analysis suggests that YoroTrooper operators, fluent in Russian, are responsible for malware development and initial access, while evidence such as Chinese-language tools, vulnerability scanners, and website translations indicates Chinese-speaking operators running intrusions. This dual-language operational model underscores a complex threat actor leveraging cross-regional expertise.
Group-IB’s findings confirm that ShadowSilk remains highly active, with victims identified as recently as July. Its focus on government entities and ability to evolve tactics underscores the importance of proactive monitoring, patch management, and defense-in-depth strategies across Central Asia and APAC. For organizations in these regions, continuous visibility into threat infrastructure and the adoption of advanced intrusion detection are critical to preventing long-term compromise and data loss.
