Silent Lynx, a sophisticated threat group that has been tracked since 2024, continues its relentless espionage campaign against government entities across Central Asia.<\/p>\n
Seqrite analysts identified the group as the first to assign this nomenclature, distinguishing it from multiple overlapping aliases including YoroTrooper, Sturgeon Phisher, and ShadowSilk.<\/p>\n
The group has become notorious for orchestrating spear-phishing campaigns while impersonating government officials, specifically targeting governmental employees with malicious attachments designed to harvest sensitive information.<\/p>\n
The threat group primarily leverages fabricated summit-related communications to distribute its weaponized payload.<\/p>\n
Seqrite researchers noted that Silent Lynx demonstrates a pattern of hastily constructed campaigns<\/a> targeting diplomatic entities involved in high-level international meetings.<\/p>\n The group\u2019s operations extend across multiple Central Asian nations including Tajikistan, Azerbaijan, Russia, and China, with strategic focus on nations involved in cross-border infrastructure projects and diplomatic initiatives.<\/p>\n Seqrite analysts identified<\/a> two distinct campaigns in 2025, both employing similar attack methodologies but targeting different geopolitical relationships.<\/p>\n The first campaign, discovered in October 2025, targeted diplomatic entities involved in Russia-Azerbaijan summit preparations, while the second focused on entities associated with China-Central Asian relations.<\/p>\n The timing and thematic consistency of these campaigns reveal a coordinated espionage operation driven by geopolitical interests rather than financial gain.<\/p>\n The infection chain begins with a deceptive RAR archive bearing benign filenames like \u201c\u041f\u043b\u0430\u043d \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u0435 \u0441\u0442\u0440\u0430\u0442\u0435\u0433\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0441\u043e\u0442\u0440\u0443\u0434\u043d\u0438\u0447\u0435\u0441\u0442\u0432\u0430.pdf.rar\u201d (Plan for Development of Strategic Cooperation).<\/p>\n When extracted, the archive reveals a malicious Windows shortcut file that abuses PowerShell.exe to download and execute obfuscated scripts from GitHub repositories<\/a>.<\/p>\n The LNK file contains working directory metadata pointing to C:UsersGoBusOneDrive\u0420\u0430\u0431\u043e\u0447\u0438\u0439 \u0441\u0442\u043e\u043b, serving as a pivot point for tracking additional campaigns.<\/p>\n The downloaded PowerShell script contains Base64-encoded reverse shell code that connects to remote command-and-control servers on port 443.<\/p>\n The decoded payload establishes a persistent TCP connection where it reads commands from operators, executes them via Invoke-Expression, and returns output across the same channel.<\/p>\n Seqrite researchers identified three primary implants deployed in these campaigns: Silent Loader (a C++ based downloader), Laplas (a TCP and TLS-based reverse shell), and SilentSweeper (a .NET implant capable of extracting and executing embedded PowerShell scripts).<\/p>\n The SilentSweeper implant accepts multiple arguments including -extract for writing embedded malicious PowerShell<\/a> to disk and -debug for troubleshooting.<\/p>\n It reads a file named qw.ps1 from its Resources section, executes the contents, and downloads additional reverse shell payloads.<\/p>\n Beyond remote access, Seqrite analysts observed deployment of Ligolo-ng, an open-source tunneling tool, providing operators unrestricted command execution capabilities on compromised systems.<\/p>\n The multi-stage infection mechanism demonstrates sophisticated operational security awareness despite numerous OPSEC blunders that facilitated attribution and tracking.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Silent Lynx APT New Attack Targeting Governmental Employees Posing as Officials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Technical Arsenal<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiGCWxCCk8joLBWVwZccFmNq9RAl0yDp0B4V2eL9hHAH7_EJqrFcqj2okz9YR5_KmOQmi6SixXQCnUbRv28qQAKjWtI_t5f1ZnV-UicsjHDmhiARwpLeAAqnZD_5uPdSQFdIncjj6y1iRPA69tv_IWl8QPDngXrEYa7YdO3Xum7wgFDoHOn7qcnUuQiAD8\/s16000\/Infection%2520Chain%2520%28Source%2520-%2520Seqrite%29.webp?ssl=1\")