ShadowSilk Unmasked: The Hybrid Espionage Group Targeting Central Asian Governments
Ddos 
Group-IB analysts, in cooperation with CERT-KG, have published new research exposing the activities of a threat cluster tracked as ShadowSilk, a campaign overlapping with the actor known publicly as YoroTrooper. The investigation reveals a persistent and evolving campaign against government institutions across Central Asia and the Asia-Pacific region, active since at least 2023 and ongoing as of July 2025.
According to Group-IB, βIn the fall of 2024, Group-IB analysts discovered a series of attacks that targeted government organizations of countries within the Central Asia and Asia-Pacific regionβ¦ After the January disclosure of their activities, ShadowSilk abandoned much of its infrastructure. However, in June 2025 Group-IB observed renewed activity and new infrastructure, identified additional government victims in Central Asia, and collected new IOCs.β
Researchers linked ShadowSilk to YoroTrooperβs toolset and infrastructure, but noted important differences in tradecraft and operational scope. As a result, the campaign has been classified as a distinct cluster, albeit with overlapping operators and shared tooling.
The report highlights several critical insights into ShadowSilkβs operations:
- ShadowSilk has been active since at least 2023, and remains active as of July 2025.
- Over 35 victims, primarily in the government sector of Central Asia, have been identified.
- ShadowSilk consists of two sub-groups and has Chinese and Russian speaking operators.
- At some point a fraction of data known to be ShadowSilkβs possession appeared for sale on one of the dark web forums, which had never previously appeared in public.
This multilingual operator structure suggests possible cooperation between Russian-speaking malware developers and Chinese-speaking intrusion operators, though the depth of collaboration remains uncertain.
ShadowSilkβs arsenal includes a blend of public exploits, penetration-testing tools, and dark webβsourced web panels:
- Exploited vulnerabilities: CVE-2018-7600, CVE-2018-7602, CVE-2024-27956
- Tools: sqlmap, wpscan, FOFA, Shodan, fscan, Metasploit, Cobalt Strike
- Webshells: AntSword, Godzilla, Behinder
- Proxy utilities: resocks, proxifier, chisel
- Purchased control panels: JRAT and Morf Project for infected device management
Notably, ShadowSilk leveraged Telegram bots as command-and-control (C2) infrastructure. Group-IB observed, βThe attackers created and used Telegram bots as a command-and-control center, leveraging them to issue commands, exfiltrate confidential data, update malware modules, and disguise traffic as legitimate messenger activity.β
This use of widely trusted platforms such as Telegram allowed ShadowSilk to bypass network monitoring and disguise malicious traffic as normal chat activity.
Server analysis revealed operators switching between Russian keyboard layouts and issuing mistyped commands, while workstation screenshots showed Chinese-language vulnerability scanners and localized systems. Group-IB concludes that βShadowSilk consists of two sub-groups and has Chinese and Russian speaking operators.β
This multilingual makeup underscores ShadowSilkβs hybrid nature, blending expertise and infrastructure from multiple threat ecosystems.
Every observed attack shared the same end goal: data exfiltration. Government entities in Uzbekistan, Kyrgyzstan, Tajikistan, and other Central Asian nations were confirmed among the victims. Stolen data included email dumps, passwords, and sensitive government documents, some of which appeared for sale on dark web forums for the first time.
Group-IBβs findings reveal ShadowSilk as a highly adaptive and persistent espionage operation, blending Russian and Chinese tradecraft, exploiting both public and underground tools, and using Telegram-based malware for stealthy persistence.
As Group-IB warns, βRecent behavior indicates that the group remains highly active, with new victims identified as recently as July. ShadowSilk continues to focus on the government sector in Central Asia and the broader APAC region, underscoring the importance of monitoring its infrastructure to prevent long-term compromise and data exfiltration.β
Related Posts:
- Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
- The Cobalt hacker group is still active, although the leader was arrested
- Group-IB and other security firms assisted Ukrainian police in taking down on DDoS criminal gangs
- Kaspersky Lab Exposes TTPs of Asian Cyber Espionage Groups
- Cybercriminals have been earned over $16 million by distributing ransomware for 2 years
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
