Operation Peek-A-Baku: Silent Lynx APT Exploits LNK Flaws to Deploy Reverse Shells via GitHub Against Central Asian Diplomacy

Seqrite Labs’ APT Team has released a detailed report exposing the latest espionage operations conducted by the threat actor “Silent Lynx,” an advanced persistent threat (APT) group known for its phishing-driven intelligence campaigns across Central and South Asia. The research uncovers multiple overlapping cyber operations targeting diplomatic summits, government entities, and infrastructure projects in countries such as Tajikistan, Azerbaijan, Russia, and China.

“Silent Lynx is famous and well known for orchestrating spear-phishing-based campaigns along with posing as government officials to target governmental employees,” Seqrite researchers wrote. “We believe that the sole purpose of the group is purely espionage done in a hasty manner, which leaves a lot of blunders that led this current research to multiple findings.”

The campaigns, collectively referred to as Operation Peek-A-Baku, reveal the group’s interest in diplomatic summits and strategic cooperation events across Central Asia.

Seqrite’s timeline shows that between June and October 2025, Silent Lynx targeted:

China–Central Asia diplomatic summits in Astana, Kazakhstan
Russia–Azerbaijan strategic cooperation meetings in Dushanbe, Tajikistan
Governmental and infrastructure entities linked to transport, communications, and mining sectors

“The first campaign targeted Chinese & Central Asian governmental think-tanks using the theme of a summit held in Astana… followed by another campaign abusing e-mails from Kyrgyzstan-based governmental entities to target various entities in Russia,” the report explained.

Silent Lynx Espionage, Operation Peek-A-Baku — Infection Chain | Image: Seqrite Labs’ APT Team

The attackers leveraged geopolitical events to craft phishing lures—RAR archives masquerading as summit documents—to deliver PowerShell-based reverse shells and custom implants.

Seqrite identified a malicious RAR archive named “План развитие стратегического сотрудничества.pdf.rar” (“Plan for the Development of Strategic Cooperation”), which contained a malicious LNK file abusing PowerShell.exe to fetch a payload hosted on GitHub.

“Upon opening the RAR file, we saw that it contained a malicious LNK trying to abuse PowerShell.exe to download and execute a malicious PowerShell file from a GitHub repository known as GoBuster777,” Seqrite wrote. “Upon decoding the Base64 blob, we determined this is a quick TCP-based reverse shell connecting to 206.189.11.142:443.”

The reverse shell enabled the attackers to remotely execute arbitrary commands, while the Ligolo-ng tunneling tool provided network persistence and stealth.

Silent Lynx deployed several distinct but interconnected payloads during its espionage operations:

Silent Loader

A C++-based loader that executes malicious PowerShell scripts from GitHub, serving as the group’s initial-stage downloader.

“One of the most interesting parts of Silent Loader is it exactly matches the initial loader we discovered back in November 2024–January 2025,” Seqrite noted, adding that this version was a sluggish move to download content from GitHub instead of embedding it directly.

Laplas (TCP and TLS variants)

A C++ reverse shell capable of both TCP and TLS-based communication with its command and control (C2) servers. The implant uses cmd.exe to execute commands and includes garbage code for obfuscation.

“Another version of the same Laplas implant performs nearly similar tasks, with a little difference in the command-and-control infrastructure… it sends a message to the operator ‘HELLO, Press Enter,’ and exits gracefully upon receiving ‘shexit’.”

SilentSweeper (.NET implant)

Used in both Russia–Azerbaijan and China–Central Asia campaigns, SilentSweeper extracts embedded PowerShell payloads such as qw.ps1 and TM3.ps1.

“The implant takes multiple arguments… the -extract flag writes a malicious PowerShell script to disk,” Seqrite explained. “Upon decoding the Base64 blob, it downloads the reverse shell 1.ps1, the same as in previous campaigns.”

In one China–Central Asia campaign, the implant also created a scheduled task named WindowsUpdate, executing every six minutes to maintain persistence.

The investigation linked multiple campaigns through shared infrastructure and metadata artifacts. Notably, LNK files included the working directory C:\Users\GoBus\OneDrive\Рабочий стол, reused across at least 11 distinct phishing samples.

C2 servers were traced to Russia and the Netherlands, with IPs including:

62.113.66.137 (Russia)
206.189.11.142 (Netherlands)
62.113.66.7 (Russia)
37.18.27.27 (Russia)

Seqrite confidently attributes the campaigns to Silent Lynx, citing tool overlap, identical coding patterns, and recurrent PowerShell-based reverse shells:

“The operators are heavily obsessed with Base64 encoding and go-to reverse shells in C++, PowerShell, Golang & .NET. We believe the group has followed our research and decided to store the encoded blob on GitHub instead of embedding it directly into binaries.”

The overarching theme of the report, titled “The Roads Lead to Dushanbe,” alludes to the group’s sustained interest in regional diplomatic summits and infrastructure collaborations linking Russia, China, and Central Asia.

“We believe that the threat group is primarily interested on the events at Dushanbe such as meeting of Russian-Azerbaijan nation-heads to projects such as China-Tajikistan Highway and Beijing-Dushanbe flight connection,” Seqrite assessed.

The espionage campaigns appear aligned with intelligence gathering rather than financial motives, consistent with Silent Lynx’s historical focus on strategic geopolitical interests.

Seqrite warned that Silent Lynx may expand its targeting to upcoming India–Central Asia security summits, although no campaigns have been observed at the time of publication.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply