ShadowSilk Hits 36 Government Targets in Central Asia and APAC Using Telegram Bots

ShadowSilk Hits 36 Government Targets in Central Asia and APAC Using Telegram Bots

Briefly

A threat activity cluster known as ShadowSilk has been attributed to a fresh set of attacks targeting government entities within Central Asia and Asia-Pacific (APAC). According to Group-IB, nearly three dozen victims have been identified, with the intrusions mainly geared towards data exfiltration. The hacking group shares toolset and infrastructural overlaps with campaigns undertaken by threat actors dubbed YoroTrooper, SturgeonPhisher, and Silent Lynx.

Victims of the group's campaigns span Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, a majority of which are government organizations, and to a lesser extent, entities in the energy, manufacturing, retail, and transportation sectors. "The operation is run by a bilingual crew - Russian-speaking developers tied to legacy YoroTrooper code and Chinese-speaking operators spearheading intrusions, resulting in a nimble, multi-regional threat profile," researchers Nikita Rostovcev and Sergei Turner said. "The exact depth and nature of cooperation of these two sub-groups remains still uncertain."

YoroTrooper was first publicly documented by Cisco Talos in March 2023, detailing its attacks targeting government, energy, and international organizations across Europe since at least June 2022. The group is believed to be active as far back as 2021, per ESET. A subsequent analysis later that year revealed that the hacking group likely consists of individuals from Kazakhstan based on their fluency in Kazakh and Russian, as well as what appeared to be deliberate efforts to avoid targeting entities in the country.