A new wave of cyberattacks is making headlines, with researchers linking a campaign called ShadowSilk to espionage operations against government organizations across Central Asia and the Asia-Pacific region. The findings, recently published by Group-IB with support from CERT-KG, highlight the growing sophistication of this threat actor.

A Campaign with Familiar Roots

The ShadowSilk activity has been ongoing since 2023 and was still active as of July 2025. Analysts point to overlaps with the tactics of the previously identified YoroTrooper group, but emphasize that ShadowSilk has evolved into a distinct operation with new infrastructure, advanced tooling, and signs of a dual operator base involving both Russian- and Chinese-speaking actors.

So far, at least 35 government entities have been identified as victims. The attackers’ primary objective remains data theft, with stolen information surfacing for sale on dark web forums.

Tools and Techniques

ShadowSilk leverages a diverse toolkit that combines both purchased and custom-built resources:

• Telegram bots serve as a command-and-control (C2) channel, allowing attackers to send instructions, steal data, and mask their activities as normal messaging traffic.
• Phishing campaigns deliver password-protected archives to lure victims into executing malicious payloads.
• Once compromised, infected systems are managed through underground web panels like JRAT and Morf Project.
• Attackers then deploy advanced frameworks such as Cobalt Strike and Metasploit to expand control, harvest credentials, and ensure persistence.

Russian and Chinese Links

Forensic evidence revealed indicators of both Russian and Chinese involvement:

• Russian-speaking operators were identified through command-line typos and the use of Russian keyboard layouts.
• Chinese-speaking operators were linked through workstation screenshots showing Chinese-language vulnerability tools and browsing activity targeting Central Asian government domains.

Together, these findings suggest that ShadowSilk is not just a continuation of YoroTrooper, but rather a new threat cluster with shared lineage.

Ongoing Risks

“ShadowSilk continues to prioritize the government sector across Central Asia and the broader APAC region,” Group-IB researchers noted, stressing the need for ongoing monitoring to prevent long-term compromise and sensitive data leaks.

Security Recommendations

To defend against threats like ShadowSilk, experts recommend:

• Implementing robust email security to block spear-phishing attempts.
• Monitoring for misuse of legitimate system commands and tools that attackers often repurpose.
• Enforcing application whitelisting, regular patch management, and deploying high-fidelity MXDR analytics fine-tuned to detect known malware artifacts.
• Conducting proactive threat hunting to uncover stealthy attacks that bypass automated defenses.
• Actively monitoring the dark web and other data leak sources to stay ahead of potential exposure.

Source: https://www.infosecurity-magazine.com/news/shadowsilk-targets-central-asian