ShadowSilk, a threat activity cluster, has been attributed to a new wave of intrusions targeting government entities in Central Asia and the Asia-Pacific (APAC) region, according to researchers at Group-IB. The campaign has identified nearly three dozen victims, with data exfiltration identified as a primary objective.
Group-IB’s analysis shows that ShadowSilk overlaps with campaigns attributed to threat actors dubbed YoroTrooper, SturgeonPhisher, and Silent Lynx. Researchers describe the operation as orchestrated by a bilingual crew – Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions – creating a multi-regional threat profile. The exact depth of cooperation between these sub-groups remains uncertain, Group-IB said.
“The operation is run by a bilingual crew – Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions, resulting in a nimble, multi-regional threat profile,” researchers Nikita Rostovcev and Sergei Turner of Group-IB said.
Victims span Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan and Turkmenistan, with a majority consisting of government organizations and, to a lesser extent, entities in energy, manufacturing, retail and transportation sectors. The group’s focus on government targets in Central Asia and the broader APAC region underscores the evolving risk landscape for public-sector networks in these areas.
ShadowSilk surfaces as an evolution in attacker tooling and workflow. The operation uses spear-phishing emails to drop password-protected archives containing a custom loader that hides command-and-control (C2) traffic behind Telegram bots to evade detection. Persistence is achieved by modifying the Windows Registry to ensure automatic startup after reboot. In addition to targeting initial access, the group employs a toolkit that includes reconnaissance and penetration-testing utilities such as FOFA, Fscan, Gobuster, Dirsearch, Metasploit and Cobalt Strike.
The malware arsenal reportedly includes JRAT and Morf Project web panels, acquired from darknet forums for managing infected devices, and a bespoke tool for stealing Chrome password storage files and the associated decryption key. ShadowSilk also compromises legitimate websites to host malicious payloads, expanding its distribution surface beyond targeted phishing documents.
“Once inside a network, ShadowSilk deploys web shells [such as ANTSWORD, Behinder, Godzilla, and FinalShell], Sharp-based post-exploitation tools, and tunneling utilities such as Resocks and Chisel to move laterally, escalate privileges and siphon data,” the researchers noted.
Documents and illustrations associated with ShadowSilk show a Python-based remote access Trojan (RAT) capable of receiving commands and exfiltrating data to a Telegram bot, enabling attackers to disguise malicious traffic as legitimate messenger activity. The operation also leverages Cobalt Strike and Metasploit modules to capture screenshots and webcam images, while a bespoke PowerShell script scans for files with predefined extensions and archives them for transfer to external servers.
The campaign has drawn attention to overlaps with other adversaries, including YoroTrooper, whose operators are reportedly fluent in Russian, and whose activity has been linked to malware development and initial access facilitation. A separate analysis cited by Group-IB also noted Chinese-speaking operators among ShadowSilk’s ranks, suggesting a diversified and international leadership structure.
Researchers emphasized that ShadowSilk remains highly active, with new victims identified as recently as July. The group continues to prioritize government targets in Central Asia and the broader APAC region, underscoring the importance of monitoring associated infrastructure to prevent long-term compromise and data exfiltration.