ShadowSilk: The Hybrid Espionage Group Targeting Central Asian Governments
The group ShadowSilk has been identified as the orchestrator of a new wave of cyberattacks against government institutions across Central Asia and the Asia-Pacific region. According to Group-IB, the number of victims is approaching 30, with the attackers’ primary objective being the theft of sensitive information. Researchers note significant overlap between ShadowSilk’s infrastructure and toolset and those previously attributed to YoroTrooper, SturgeonPhisher, and Silent Lynx.
Among the compromised entities are organizations in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan. While most attacks targeted state institutions, victims also included energy companies, retail businesses, transportation firms, and industrial enterprises.
Analysts believe the operation is carried out by a bilingual collective: Russian-speaking developers, tied to YoroTrooper’s inherited codebase, and Chinese-speaking operators, responsible for network intrusions and attack coordination. Although the depth of their collaboration remains uncertain, this partnership creates a layered and highly adaptive threat profile.
YoroTrooper was first documented in 2023, with activity traced back to 2021. The group targeted government, energy, and international organizations in Europe starting in 2022, with later reports from ESET suggesting a Kazakhstani origin for some members, based on their fluency in Kazakh and Russian and their apparent avoidance of local targets. In January 2025, Seqrite Labs uncovered a Silent Lynx campaign against entities in Kyrgyzstan and Turkmenistan, again showing links to YoroTrooper’s activity.
ShadowSilk represents the next stage in this evolving ecosystem. Initial access is typically achieved through phishing emails carrying password-protected archives. These contain loaders that disguise their traffic as communication with Telegram bots while delivering additional malware modules. To maintain persistence, the malware alters Windows registry keys, ensuring automatic execution after reboot.
Beyond social engineering, the group exploits known public vulnerabilities such as Drupalgeddon (CVE-2018-7600, CVE-2018-76020) and WP-Automatic for WordPress (CVE-2024-27956). Their arsenal includes popular reconnaissance and penetration-testing tools like FOFA, Fscan, Gobuster, Dirsearch, Metasploit, and Cobalt Strike. For administration of compromised systems, they rely on black-market web panels like JRAT and Morf Project, alongside custom utilities for exfiltrating Chrome password vaults with decryption keys. In several cases, ShadowSilk has hosted its loaders on hijacked legitimate websites.
Once inside a network, the group deploys web shells such as ANTSWORD, Behinder, Godzilla, and FinalShell, while employing post-exploitation and tunneling utilities like Resocks and Chisel. These tools enable lateral movement, privilege escalation, and large-scale data theft. The final stage involves launching a Python-based RAT linked to a Telegram bot, which covertly transmits stolen data under the guise of legitimate messaging traffic. Modules from Metasploit and Cobalt Strike are used to capture screenshots and webcam images, while a custom PowerShell script searches files by extension, compresses them into ZIP archives, and exfiltrates them to external servers.
Group-IB reports that Russian-speaking actors are responsible for malware development and initial access, while forensic evidence reveals the involvement of Chinese-speaking operators — including the use of a Chinese keyboard layout, automated translation of Kyrgyz government resources into Chinese, and deployment of Chinese vulnerability scanners.
Infrastructure monitoring indicates the group remains active, with fresh victims identified as recently as July. ShadowSilk continues to prioritize government entities across Central Asia and the broader Asia-Pacific, underscoring the critical need for constant surveillance of its servers and evolving tactics to prevent long-term intrusions and data exfiltration.
