A newly identified threat cluster dubbed ShadowSilk has been linked to a wave of cyberattacks against government agencies across Central Asia and the Asia-Pacific (APAC) region, according to researchers from Group-IB. The campaign, which has compromised nearly three dozen victims, is primarily aimed at large-scale data theft and shows clear overlaps with operations previously attributed to YoroTrooper, SturgeonPhisher, and Silent Lynx.
Most of the identified victims are government organizations in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan. The group has also targeted sectors such as energy, manufacturing, retail, and transportation. Group-IB researchers Nikita Rostovcev and Sergei Turner noted, “The operation is run by a bilingual crew – Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions, resulting in a nimble, multi-regional threat profile. The exact depth and nature of cooperation of these two sub-groups remains still uncertain.”
ShadowSilk is regarded as the latest evolution of YoroTrooper-linked activity, with roots stretching back as far as 2021. Earlier reporting by Cisco Talos, ESET, and Seqrite Labs documented the group’s previous attacks in Europe and Central Asia. The new campaign relies on spear-phishing emails that deliver password-protected archives containing a custom loader. This loader disguises command-and-control (C2) traffic within Telegram bot communications, allowing attackers to blend in with normal messenger activity and bypass detection.
The group also exploits known software vulnerabilities, including Drupal flaws (CVE-2018-7600, CVE-2018-76020) and the WP-Automatic WordPress plugin (CVE-2024-27956). Its toolkit spans both open-source reconnaissance utilities such as FOFA, Gobuster, Dirsearch, and Fscan, as well as post-exploitation frameworks like Metasploit and Cobalt Strike. Additional capabilities include JRAT, Morf Project web panels, and a custom password-stealing utility targeting Chrome’s credential storage. Compromised websites are also abused to host malicious payloads.
Once inside a network, the attackers deploy a wide range of persistence and privilege escalation tools. “Once inside a network, ShadowSilk deploys web shells [like ANTSWORD, Behinder, Godzilla, and FinalShell], Sharp-based post-exploitation tools, and tunneling utilities such as Resocks and Chisel to move laterally, escalate privileges and siphon data,” the researchers explained. The intrusions ultimately enable the delivery of a Python-based RAT that can exfiltrate files, screenshots, and webcam captures via Telegram, masking malicious traffic as legitimate.
Group-IB’s findings suggest the group involves both Russian-speaking developers and Chinese-speaking operators, as evidence points to dual-language use across its infrastructure. “Recent behavior indicates that the group remains highly active, with new victims identified as recently as July,” Group-IB warned. “ShadowSilk continues to focus on the government sector in Central Asia and the broader APAC region, underscoring the importance of monitoring its infrastructure to prevent long-term compromise and data exfiltration.”
