ShadowSilk Reaches 35 Organizations in Central Asia and APAC Through Telegram Bots

A threat activity cluster known as ShadowSilk has been linked to a new wave of attacks targeting government entities in Central Asia and the Asia-Pacific (APAC) region. According to Group-IB, nearly three dozen victims have been identified, primarily focusing on data exfiltration. The hacking group exhibits toolset and infrastructural overlaps with other threat actors, including YoroTrooper, SturgeonPhisher, and Silent Lynx. Victims of ShadowSilk’s campaigns include government organisations in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, as well as entities in the energy, manufacturing, retail, and transportation sectors. Researchers Nikita Rostovcev and Sergei Turner noted that the operation is conducted by a bilingual team, comprising Russian-speaking developers associated with legacy YoroTrooper code and Chinese-speaking operators leading the intrusions, resulting in a versatile, multi-regional threat profile.

ShadowSilk represents the latest evolution of this threat actor, employing spear-phishing emails as the initial access vector to deliver password-protected archives that deploy a custom loader. This loader conceals command-and-control (C2) traffic behind Telegram bots to evade detection and facilitate the delivery of additional payloads. Persistence is achieved by modifying the Windows Registry to ensure automatic execution after system reboots. The group utilises public exploits for Drupal and the WP-Automatic WordPress plugin, alongside a diverse toolkit that includes reconnaissance and penetration-testing tools such as FOFA, Fscan, Gobuster, Dirsearch, Metasploit, and Cobalt Strike. Additionally, ShadowSilk has integrated JRAT and Morf Project web panels sourced from darknet forums for managing compromised devices, as well as a custom tool for extracting Chrome password storage files and their decryption keys. Notably, the group has also compromised legitimate websites to host malicious payloads. Once inside a network, ShadowSilk deploys web shells like ANTSWORD, Behinder, and Godzi. 

Categories: 1. Cyber Threat Actors, ShadowSilk, YoroTrooper, SturgeonPhisher, Silent Lynx
2. Targeted Sectors, Government Entities, Energy, Manufacturing, Retail, Transportation
3. Attack Techniques, Data Exfiltration, Spear-Phishing, Command-and-Control, Web Shells 

Tags: ShadowSilk, Cyber Attacks, Data Exfiltration, Government Entities, Central Asia, Asia-Pacific, Spear-Phishing, Command-and-Control, Web Shells, Malicious Payloads