{ "id": "126ec274-e4ad-4e48-ab93-d1f6dd6507e0", "created_at": "2026-04-06T00:13:21.146085Z", "updated_at": "2026-04-10T03:28:40.149013Z", "deleted_at": null, "sha1_hash": "eaaa3e7dd6533ddaffd83ca50d6a994ef7ee1e07", "title": "Operation Peek-a-Baku: Silent Lynx APT makes sluggish shift to Dushanbe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5033600, "plain_text": "Operation Peek-a-Baku: Silent Lynx APT makes sluggish shift to\r\nDushanbe\r\nBy Subhajeet Singha\r\nPublished: 2025-11-03 · Archived: 2026-04-05 14:10:40 UTC\r\nIntroduction\r\nTimeline\r\nKey Targets.\r\nIndustries Affected.\r\nGeographical Focus.\r\nInfection Chain.\r\nInitial Findings.\r\nTechnical Analysis.\r\nCampaign – I\r\nThe LNK Way.\r\nMalicious SILENT LOADER\r\nMalicious LAPLAS Implant – TCP \u0026 TLS.\r\nMalicious .NET Implant – SilentSweeper\r\nCampaign – II\r\nMalicious .NET Implant – SilentSweeper\r\nVBScript.\r\nMalicious PowerShell Script.\r\nHunting and Infrastructure.\r\nAttribution\r\nEarly-Remediations.\r\nConclusion\r\nSEQRITE Protection.\r\nIOCs\r\nMITRE ATT\u0026CK.\r\nReferences\r\nAuthors: Subhajeet Singha, Priya Patel, Sathwik Ram Prakki.\r\nIntroduction\r\nSeqrite Labs’ APT Team was the first to assign the nomenclature “Silent Lynx” to the threat group. Prior \u0026 later\r\nto this, multiple researchers had identified the initial campaigns and referred to the group by various names,\r\nincluding YoroTrooper, Sturgeon Phisher, Cavalry Werewolf, ShadowSilk, and others. Since we were the first\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 1 of 30\n\nto uncover and track these campaigns under that naming convention, we have continued to refer to the group as\r\nSilent Lynx to maintain consistency and avoid confusion caused by multiple overlapping aliases.\r\nAs posted by multiple other research vendors and by us, Silent Lynx is famous and well known for orchestrating\r\nspear-phishing based campaigns along with posing as government officials to target governmental employees.\r\nWith multiple custom-made or sometimes ready-made available offensive tooling from open-source projects, they\r\nmostly focused targeting Central-Asian think-tanks, governments, Russian government and some nations towards\r\nSouth-east Asia.\r\nIn this blog, we’ll explore on how we identified the same group, making sluggish changes in-terms of deploying\r\nstagers, and making small OPSEC blunders, that have led us to identify campaigns across entities targeting\r\nAzerbaijan-Russia relationship with fake RAR archives. This group has also been targeting China-Central Asian\r\nentities with malicious .NET implant. We believe that the sole-purpose of the group is purely espionage done in a\r\nhasty manner, which leaves a lot of blunders, that led this current research to multiple findings. We will also look\r\nat the infrastructure covering multiple campaigns and implants uncovered during the phase of research.\r\nWell, last but not the least part is the final theme of this research, which is “The roads lead to Dushanbe”. The\r\ntheme will slowly be incorporated in the later parts of the blog, giving it the reason for the selection of the theme.\r\nTimeline.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 2 of 30\n\nKey Targets.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 3 of 30\n\nSilent Lynx have been targeting multiple sectors of various nations and in this research we will focus on the ones\r\nwhich have a very close geographic relation in terms of events such as Astana, Dushanbe \u0026 Baku. The first\r\ncampaign, which we tracked in Early June-September, had targeted Chinese \u0026 Central Asian governmental\r\nthink-tanks using the theme of a summit, which was held in Astana, which is the capital city of Kazakhstan. In\r\nthe mid of September to October, we discovered another campaign, which was carried out by this same threat\r\ngroup, abusing e-mails from Kyrgyzstan-based governmental entities to target various entities in Russia, which\r\nwas also discovered by threat-researchers at BI. Zone.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 4 of 30\n\nFollowing the similar footmarks, we uncovered that the threat actor also targeted entities involved in Azerbaijan-Russian diplomacy, using the theme of a summit along with specific keywords such as Strategic Co-operation,\r\nwhich was held in Dushanbe. The industries which have been targeted are as follows:\r\nIndustries Affected\r\nGovernment Think-tanks \u0026 Diplomats.\r\nMining Industry.\r\nTransport \u0026 Communication Industry.\r\nGeographical Focus\r\nTajikistan\r\nAzerbaijan\r\nRussia\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 5 of 30\n\nChina\r\nOther Central-Asian nations (refer, previous research related to discovery of Silent Lynx)\r\nInfection Chain\r\nInitial Findings.\r\nWe at SEQRITE APT-Team, have been meticulously tracking, Silent Lynx, since November 2024. Initially, we\r\ndiscovered that the group had been targeting multiple important entities across Kyrgyzstan, Turkmenistan \u0026\r\nUzbekistan followed by the sole motive of espionage related to critical sectors such as National Banks, Railway\r\nProjects, etc. Our findings were presented at Virus Bulletin, 2025.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 6 of 30\n\nAs mentioned in our collaboration with VirusTotal on our research and key-pivotal points we use to hunt the threat\r\ngroup, for example, the obsession of using Base64 encoded PowerShell implants and loaders which abuse\r\nPowerShell.exe binary.\r\nUsing similar pivotal logic, we discovered a campaign in the month of September which we believe has been\r\norchestrated initially in the month of June and the samples were discovered by us in September.\r\nLater, using the similar logic we found another campaign that has been using similar modus operandi with slight\r\nchanges in deploying stagers. As this has been found in the month of October, we believe this is again orchestrated\r\nin October itself, depending on certain theme.\r\nFurther hunting and pivoting led us to confirmation that these two campaigns, although with a very little number\r\nof changes in deploying the final stager payloads, have been launched by the same threat group Silent Lynx.\r\nIn the next section of the research, we will focus on the technical and other interesting parts of the research.\r\nTechnical Analysis.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 7 of 30\n\nDuring our research on this threat group, under the code name Operation Peek-A-Baku, we uncovered multiple\r\nsets of campaigns. To present our findings clearly, we have divided the analysis into two sections.\r\nThe first section details the various methods used by the threat actor to deploy the final-stage reverse shell, which\r\nprimarily targeted entities involved in Russia–Azerbaijan relations. The second section focuses on campaigns\r\naimed at China–Central Asia relations. It is important to note that the technical analysis is not organized\r\nchronologically and does not reflect the exact sequence of events within the overall campaign.\r\nCampaign – I\r\nLet us start analyzing the campaign, which involved targeting entities of Russian-Azerbaijan diplomatic\r\nrelationship.\r\nOctober-2025\r\nInitially, in the first half of October-2025 or the second week of October to be precise, our team found a malicious\r\nRAR archive known as План развитие стратегического сотрудничества.pdf.rar which translates to Plan for the\r\nDevelopment of Strategic Cooperation. As a matter of fact, we also did check out the way this filename has been\r\nwritten is actually grammatically incorrect in Russian, suggesting that it was likely created by a non-native\r\nspeaker or generated automatically using multiple translators available on the web.\r\nAs we believe this campaign targeted the diplomatic entities who were involved or related with organizing and\r\nmaking the meeting, this campaign specifically targeted diplomatic entities that were involved in or associated\r\nwith the organization and coordination of the Russia–Azerbaijan meeting held in Dushanbe, Tajikistan, in\r\nOctober 2025. Given the timing and the politically charged context surrounding the summit, which focused on\r\nrestoring and strengthening strategic cooperation between the two nations, it is mostly suspected that the threat\r\nactor sought to gather intelligence on diplomatic communications linked to this high-level engagement.\r\nNow, let us look into the technical arsenal of the set of malicious payloads used.\r\nThe LNK Way\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 8 of 30\n\nWe hunted the suspicious RAR file План развитие стратегического сотрудничества.pdf.rar and upon opening\r\nit, we only saw that the RAR file contained a malicious LNK with the similar name.\r\nNow, upon looking into the contents of the LNK, file, we figured out that the LNK is basically trying to abuse the\r\npowershell.exe binary to download and execute a malicious PowerShell file from a GitHub Repository known as\r\nGoBuster777 , and the file which is being downloaded is 1.ps1. Interestingly, we also found a suspicious file path\r\nwhich will be further leveraged to pivot and hunt further campaigns in the later section of this research blog.\r\nUpon downloading the 1.ps1 file, we found another similarity with the previous campaigns of Silent Lynx, which\r\nis the usage of Base64 encoded malicious blob executed via powershell.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 9 of 30\n\nUpon decoding the Base64 blob, we determined this is a quick TCP-based reverse shell that connects to\r\n206.189.11.142:443. The payload opens a socket, establishes a stream, and enters a persistent read-execute-return\r\nloop: it reads text commands from the remote operator, executes them locally via Invoke-Expression, converts\r\nenumerable results to strings, and writes the output back over the same connection. Finally, we also discovered\r\nthat the threat actor also deployed the open-source tunneler Ligolo-ng alongside the PowerShell-based reverse\r\nshell, which overall gave the TA an access to execute arbitrary commands on the victim machine.\r\nMalicious SILENT LOADER Implant.\r\nWe identified a second implant linked to the same campaign. The file, named silent_loader.exe, was uploaded\r\nfrom a similar location (Azerbaijan).\r\nGiven this artifact and the multiple aliases previously used for the group, we assess the actor may have favored the\r\n“Silent” naming motif. That preference could explain the implant’s name Silent Loader and supports our\r\ncontinuing use of the Silent Lynx label for tracking.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 10 of 30\n\nLooking into the technicalities of the implant, it turns out to be extremely simple in nature and highly relevant to\r\nthe C++ based loader, which we initially discovered in the very first campaign. In this implant, it uses iex to\r\ndownload the malicious 1.ps1 file, which we saw in the previous section.\r\nFinally, it forms an entire command to download \u0026 execute the malicious PowerShell script, which is done by\r\npassing the command line as an argument to CreateProcessW API. This spawns a new PowerShell process again\r\nconnecting back to the C2 framework.\r\nOne of the most interesting parts of Silent Loader is it exactly matches the initial loader, that we discovered back\r\nin the month of November 2024 – January 2025. This indicates the only key difference is, that instead of adding\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 11 of 30\n\nthe encoded Base64 blob inside the loader binary, the threat actor has made a sluggish move to download the\r\ncontent from GitHub.\r\nMalicious LAPLAS Implant – TCP \u0026 TLS.\r\nWe also uncovered a malicious implant used by this threat group in this campaign, and we are tracking it under the\r\nname Laplas. This is programmed using C++ and uses TCP-based network-stack for communication.\r\nLooking into the initial part of this implant, we saw that it is trying to connect to the malicious command and\r\ncontrol on a specific port number 443. The reverse-shell basically works like:\r\n./laplas.exe \u003cc2 address\u003e \u003cport number\u003e\r\nIn case the arguments are not provided during startup, the flow of the code falls back to the hardcoded C2 address\r\nand the port number inside the binary, which is passed to a function sub_F710D0 that is basically a Connector\r\nfunction.\r\nLooking into the connector, it initially sleeps for 5 seconds and then performs some buffer-based operation further\r\nconnecting to the C2 server.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 12 of 30\n\nThen another function performs XOR-decoding operation of a hardcoded string, which upon decoding turns out to\r\nbe cmd.exe , which is further passed as a parameter to CreateProcess API.\r\nThere are a few interesting parts of the implant, one of them is it contains a bunch of garbage code, which is not\r\nmuch of a use with the context of the workings of the implant. Another one being the C2 server returning echo\r\n\u003csome-garbled character\u003e every time the implant tries to connect to the server.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 13 of 30\n\nAnd, finally upon receiving the exit message from the threat actor, the implant will release all the resources and\r\ngracefully exit. We have also identified another version of the same LAPLAS implant, which performs nearly\r\nsimilar tasks, with a little difference in the command-and-control infrastructure and some functionalities and\r\nartefacts, being a TLS-based reverse shell.\r\nIt is to be noted that the implant with TLS-based functionality has not been used in the Russia-Azerbaijan\r\nbased campaign. We have found it via multiple pivots and due to its slightly unique technical aspect, this\r\nsection has been added under the technical analysis part.\r\nThe first interesting point contains an interesting string Phenyx2022, which we believe is just a lament signature\r\nwhich the developer wanted to flaunt while the implant gets executed.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 14 of 30\n\nIn this part the implant sends a message to the operator HELLO, Press Enter., once the handshake is done it uses\r\nwindows objects known as Pipes for I/O operation and other simple aspects of this implant.\r\nAs mentioned in this case, the C2 of the implant which is communicating over TLS, does use a different C2\r\naddress.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 15 of 30\n\nOnce it received the message shexit from the operator, it goes ahead to gracefully exit with a message of Goodbye.\r\nMalicious .NET Implant – SilentSweeper.\r\nWe also identified another .NET implant used in this campaign, and we track it under the name of SilentSweeper.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 16 of 30\n\nAn interesting part of this implant is that it takes multiple arguments out of which an argument, that says -extract\r\nis basically responsible for extracting a malicious PowerShell Script and write it to a file. This is basically\r\nembedded inside the Resources section of the binary.\r\nApart from the previous option of extracting the PowerShell to a file, the implant also provides multiple other\r\noptions such as -? which provides a list of help on the specifications of the implant and -debug option that\r\nsupports the debugging of the PowerShell script.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 17 of 30\n\nAs mentioned, the implant loads a file name from the Resources known as qw.ps1 and reads the content of the file\r\nand further goes ahead and executes the contents of the PowerShell script.\r\nUpon decoding the Base64 blog, we figured out that it is basically downloading the malicious 1.ps1 file, which is\r\na reverse-shell, that we analyzed during the first section of the research. Now, in the next section, we will look into\r\nthe other campaign.\r\nCampaign – II\r\nLet us start analyzing the campaign which involved targeting entities of China-Central Asian diplomatic\r\nrelationship.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 18 of 30\n\nInitially in the second week of September-2025, our team found a malicious RAR archive known as China-Central\r\nAsia SummitProject.rar. We believe this campaign targeted the diplomatic entities, individuals and other entities\r\ninvolved or related with organizing and have certain involvements in either decision making and multiple other\r\ndecrees of involvement in deal-signing and multiple other coordination of the China-Central Asai Summit, held\r\nin Astana, Kazakhstan, on June 2025.\r\nBased on the previously uncovered campaigns and those identified by various other threat research vendors, this\r\nthreat group has been observed targeting the Transport and Communication sector, including railways and other\r\ncritical infrastructure domains.\r\nTherefore, analysis of the group’s historical behavior and targeted sectors indicates that the threat actors likely\r\nsought to gather intelligence on transportation and communication-based initiatives. These projects appear to be\r\ntied to the strategic framework established at the China-Central Asian Summit in 2025.\r\nNow, let us look into the technical arsenal of the set of malicious payloads used.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 19 of 30\n\nMalicious .NET Implant – SilentSweeper\r\nUpon hunting the suspicious RAR file China-Central Asia SummitProject.rar, we observed that the RAR file\r\ncontained a malicious executable with the similar name.\r\nAs analyzed during the SilentSweeper implant in the previous section, we will now focus on the malicious\r\nPowerShell script which is known as TM3.ps1 in this campaign.\r\nUpon decoding the Base64 blob, we found a PowerShell script that downloads two helper scripts (a VBScript and\r\na PowerShell script) from a remote host and then creates a scheduled task called WindowsUpdate. The task is set\r\nto run every six minutes (/sc minute /mo 6) and is triggered once immediately on creation, and the downloaded\r\nfiles are written to the current user’s temp folder (such as. C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Local\\Temp\\WindowsUpdateService.ps1 and …\\WindowsUpdateService.vbs). In the next\r\nsection, we will look into the VBS and the PowerShell script.\r\nMalicious. VBScript.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 20 of 30\n\nLooking into the VBScript, it became quite evident that the sole purpose of this script is to execute the later stage,\r\nwhich is basically the PowerShell file.\r\nMalicious PowerShell.\r\nNext looking into the file WindowsUpdateService.ps1, we saw that it contains an encoded blob, which further\r\nupon decoding, observed that it resembles the exact final-stager reverse-shell payloads, which we have analyzed\r\npreviously in this blog. It is also important to note that amongst all the campaigns, we have seen the attacker\r\nleveraging the open-source tool Ligolo-ng.\r\nIn, the next section, we will focus on the hunting \u0026 infrastructural artefacts.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 21 of 30\n\nHunting \u0026 Infrastructure.\r\nDuring our analysis of both campaigns, we identified multiple artefacts that are valuable pivot points for further\r\ninvestigation, such as using LNK-based metadata, infrastructural-pivots \u0026 other un-attributed campaigns. Let us\r\ndive into those parts.\r\nPivoting-via LNK-Metadata.\r\nMultiple LNK-based metadata led to other un-attributed campaigns. Let us dive into those parts.\r\nInitially, while looking into the malicious LNK file, we found an interesting working directory which contained\r\nthe above following metadata, which basically says C:\\Users\\GoBus\\OneDrive\\Рабочий стол which basically\r\ntranslates to Desktop.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 22 of 30\n\nFurther pivoting on the artefact, we hunted over a set of 11 shortcut (.LNK) files which basically contain the same\r\nmetadata. Interestingly, we found a malicious RAR file that also performs malicious tasks the LNK Way, which is\r\nalso we believe is an unattributed campaign as of now, contains a LNK file with similar metadata.\r\nNext, we will look into, the pivots over infrastructural artefacts leading to a greater number of un-attributed\r\ncampaigns\r\nPivoting-via Infrastructural-Artefacts.`\r\nAs, we saw that the malicious PowerShell reverse-shell was hosted over the GitHub, further pivoting onto that\r\nartefact led us to another campaign, which contains the name resume.rar and is currently un-attributed in terms of\r\nthe targeted sector using exactly similar techniques.\r\nNext, as we looked into the multiple payloads, which had multiple pivots from the GitHub repository to other\r\ninfrastructural entities as well. We landed into another set of malicious host addresses and upon further pivoting,\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 23 of 30\n\nwe discovered another campaign that used a malicious ZIP file named as WindowsUpdateService.zipserving a\r\nmalicious PowerShell script.\r\nWe also did uncover another campaign which is connected to this malicious infrastructural artefact, as well as this\r\nbinary linked to the campaigns, which were serving these malicious files.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 24 of 30\n\nWe also saw multiple executables that were connecting to these malicious artefacts, performing multiple tasks.\r\nNow, let us look into the infrastructural details, in the next section.\r\nHost / IP Address ASN Location\r\n62.113.66.137 AS 60490 Russia ()\r\n206.189.11.142 ASN 14061 Netherlands ()\r\n62.113.66.7 AS 60490 Russia ()\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 25 of 30\n\n37.18.27.27 AS 48096 Russia ()\r\nAttribution.\r\nAttribution is indeed the toughest part, while giving a strict direction in terms of victimology and many other\r\ndomains of a threat campaign, which can be dilemmatic in a lot of cases. Although, it can be limited up to a\r\ncertain degree, by closely monitoring a threat group especially their TTPs, interests in certain geographical and its\r\ninfrastructural projects with a goal of espionage. Therefore, keeping in mind these artefacts, with high confidence\r\nwe have attributed these threat campaigns to Silent Lynx, some of the reasons are as follows.\r\nArsenal-oriented Attribution.\r\nSince we have been tracking this threat group, we have encountered that the operators are heavily obsessed\r\nwith Base64 encoding and go-to reverse-shells in C++, PowerShell, Golang 7 .NET. We believe that the\r\ngroup or the operators have been following our research and decided to store the Base64 encoded blob over\r\nGitHub instead of hardcoding into the C++ binary, as we already saw in the technical analysis section that\r\nthe resemblance of both the implants is heavily similar in terms of codebase.\r\nIn the previous campaigns, where we saw that the threat group targeted government entities of\r\nTurkmenistan with a malicious ZIP file containing the C++ loader back in the first half of 2025, we also\r\nsaw the exact same behavior while it targeted diplomatic \u0026 other important entities involved in China-Central Asian This proves that the group had used the same TTPs on both the campaigns, which is\r\nbasically dropping the payload on disk, without any decoy-oriented material.\r\nInitial spear-phishing compressed files and the payload files having a same name, which we saw\r\nacross most of the campaigns by this group across Central Asian targets, we believe that the group is too\r\nsluggish to make certain changes, which creates a unique pattern for the threat-hunting individual to create certain pattern-based bias followed by this group.\r\nWe also found in both the campaigns, that this group is heavily obsessed with using Golang-based\r\ntunneling tools, as in the first campaign they deployed RESOCKS, while in these campaigns they\r\nswitched to Ligolo-Ng, where both the tools share a lot of technical similarities such as support for\r\nencrypted tunnels, proxy chaining, and cross-platform compatibility.\r\nVictimology\r\nWe have seen that this threat actor primarily targets multiple Central-Asian nations and its critical\r\ninfrastructure such as governmental entities, banking sector \u0026 entities involved in cross-country\r\ninfrastructural projects on the similar geographic-zone in the initial research published by us. In this\r\nresearch, we have also identified the same on both the campaigns, where we have seen a very common-infrastructural pivot that leads to commonalities between the campaign that targeted Russia-Azerbaijan\r\nrelations as well as the China-Central Asia, which we think is a OPSEC blunder from the threat group.\r\nWe believe that the threat group is primarily interested on the events at Dushanbe such as meeting of\r\nRussian-Azerbaijan nation-heads to projects such as China-Tajikistan Highway and Beijing-Dushanbe\r\nflight connection, which aims to business and multiple exchanges. Therefore, leading us to attribute in the\r\nterms of victimology with a medium strength confidence in terms of sectors being targeted.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 26 of 30\n\nEarly-Remediations.\r\nThis year we have seen Silent Lynx targeting events that are of interests in the Central-Asia geosphere, especially\r\nsummits which involve a large amount of infrastructural dealing and many more diplomatic decisions \u0026\r\nimprovements.\r\nWe believe that this group has also been keeping a track of an event, which involves India-Central Asian\r\nSecretaries meet in the month of October. Although, for now it is a mere speculation and more of an early\r\nremediation to the entities involved during this meeting. We have not seen any such campaign at the time of\r\npublishing this research, this section of research is to be treated as an advisory.\r\nConclusion\r\nWe conclude that Silent Lynx, which SEQRITE APT-Team had dubbed and have been researching since a year,\r\nhas been involved in multiple campaigns targeting various countries which have initiated certain diplomatic and\r\ninfrastructural developments, as well as other critical sectors with multiple Central Asian nations. They have also\r\nbeen targeting Russia \u0026 China based entities as well, and is currently very active, while making minimal changes\r\nto their arsenal \u0026 might target entities which involve similar dialogue oriented meetings. We expect Silent Lynx to\r\ncontinue leveraging dual-layer scripts and GitHub-hosted payloads for low-cost persistence.\r\nSEQRITE Protection.\r\nMalgentCiR.\r\ntrojan.50055.GC\r\nboxter.50066.SL\r\nTrojan.50056.GC\r\nIOCs.\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 27 of 30\n\nHash (SHA-256) Malware Type\r\nef627bad812c25a665e886044217371f9e817770b892f65cff5877b02458374e RAR File\r\n5b58133de33e818e082a5661d151326bce5eeddea0ef4d860024c1dbb9f94639 RAR File\r\n5bae9c364ee4f89af83e1c7d3d6ee93e7f2ea7bd72f9da47d78a88ab5cfbd5d4 RAR File\r\n72a36e1da800b5acec485ba8fa603cd2713de4ecc78498fcb5d306fc3e448c7b LNK File\r\n5e3533df6aa40e86063dd0c9d1cd235f4523d8a67d864aa958403d7b3273eaaf LNK File\r\nb58f672e7fe22b3a41b507211480c660003823f814d58c04334ca9b7cdd01f92 LNK File\r\nae51aef21ea4b422ef0c7eb025356e45d1ce405d66afbb3f6479d10d0600bcfd PowerShell\r\n0bce0e213690120afc94b53390d93a8874562de5ddcc5511c7b9b9d95cf8a15d PowerShell\r\n821f1ee371482bfa9b5ff1aff33705ed16e0147a9375d7a9969974c43b9e16e8 PowerShell\r\n262f9c63c46a0c20d1feecbd0cad75dcb8f731aa5982fef47d2a87217ecda45b EXE\r\n123901fa1f91f68dacd9ec972e2137be7e1586f69e419fc12d82ab362ace0ba9 EXE\r\n6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8 EXE\r\n97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216 EXE\r\n9de8bbc961ff450332f40935b739d6d546f4b2abf45aec713e86b37b0799526d EXE\r\nb5a4f459bdff7947f27474840062cfce14ee2b1a0ef84da100679bc4aa2fcf77 EXE\r\nffda4f894ca784ce34386c52b18d61c399eb2fc8c9af721933a5de1a8fff9e1b EXE\r\n2c8efe6eb9f02bf003d489e846111ef3c6cab32168e6f02af7396e93938118dd .NET executable\r\n1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3 .NET executable\r\n67cf0e32ad30a594442be87a99882fa4ac86494994eee23bdd21337adb804d3f .NET executable\r\n036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959 .NET executable\r\n32035c9d3b81ad72913f8db42038fcf6d95b51d4d84208067fe22cf6323f133c .NET executable\r\na639a9043334dcd95e7cd239f8816851517ebb3850c6066a4f64ac39281242a3 .NET executable\r\na83a8eb3b522c4517b8512f7f4e9335485fd5684b8653cde7f3b9b65c432fa81 .NET executable\r\n26aca51d555a0ea6d80715d8c6a9f49fea158dee11631735e16ea75c443a5802 .NET executable\r\n303f03ae338fddfe77c6afab496ea5c3593d7831571ce697e2253d4b6ca8a69a .NET executable\r\n40d4d7b0bc47b1d30167dd7fc9bd6bd34d99b8e0ae2c4537f94716e58e7a5aeb VBA\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 28 of 30\n\nb0ac155b99bc5cf17ecfd8d3c26037456bc59643344a3a30a92e2c71c4c6ce8d VBA\r\nb87712a6eea5310319043414eabe69462e12738d4f460e66a59c3acb5f30e32e ZIP\r\nHost/IP addresses\r\nupdates-check-microsoft[.]ddns[.]net\r\ncatalog-update-update-microsoft[.]serveftp[.]com\r\nhxxp://206.189.11[.]142/\r\n62[.]113[.]66[.]137\r\n62.[.]113[.]66[.]7\r\n37[.]18[.]27[.]27\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Technique Name\r\nInitial Access / Phishing T1566.001 Spearphishing Attachment\r\nExecution T1204.001 User Execution: Malicious Link\r\nT1204.002 User Execution: Malicious File\r\nT1106 Native API (CreateProcess / CreateProcessW)\r\nPersistence T1053.005 Scheduled Task/Job: Windows Task Scheduler\r\nCommand \u0026 Scripting\r\nInterpreter\r\nT1059.001 PowerShell\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nT1036 Masquerading\r\nCommand \u0026 Control T1071 Application Layer Protocol (HTTPS / Web protocols)\r\nT1095\r\nNon-Application Layer Protocol (raw TCP / custom\r\nC2)\r\nProxying \u0026 Tunneling T1071 / T109 Tunneling / Proxy (use of Ligolo-ng) C2/mesh/tunnel\r\nExfiltration\r\nT1041 /\r\nT1071\r\nExfiltration over C2 channel / Application layer\r\nReferences\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 29 of 30\n\nA1: Newspaper-Outlets\r\nRussia and Azerbaijan signal new stage in strategic cooperation – Defensehere\r\nDushanbe Hosts Putin and Leaders of Commonwealth of Independent States – The Diplomat.\r\nChina-Central Asia Summit: China Southern Airlines opens new direct flight linking Beijing and Dush…\r\nChina-Central Asia Summit to draw new blueprint for future cooperation: spokesperson\r\nIndia, Central Asian states to work with Afghanistan to tackle security challenges | Latest News India\r\nA2: Existing-Public-Research\r\nUnveiling Silent Lynx APT: Targeting Central Asian Entities with Malicious Campaigns\r\nVTPRACTITIONERS{SEQRITE}: Tracking UNG0002, Silent Lynx and DragonClone ~ VirusTotal Blog.\r\nShadowSilk: A Cross-Border Binary Union for Data Exfiltration | Group-IB Blog.\r\nzone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/.\r\nVirus Bulletin :: Silent Lynx: uncovering a cyber espionage campaign in Central Asia\r\nSource: https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nhttps://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/" ], "report_names": [ "operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage" ], "threat_actors": [ { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fa8f111a-5ace-4234-a4f7-07ce2b429606", "created_at": "2026-02-07T02:00:03.663624Z", "updated_at": "2026-04-10T02:00:03.960722Z", "deleted_at": null, "main_name": "UNG0002", "aliases": [], "source_name": "MISPGALAXY:UNG0002", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434401, "ts_updated_at": 1775791720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eaaa3e7dd6533ddaffd83ca50d6a994ef7ee1e07.pdf", "text": "https://archive.orkl.eu/eaaa3e7dd6533ddaffd83ca50d6a994ef7ee1e07.txt", "img": "https://archive.orkl.eu/eaaa3e7dd6533ddaffd83ca50d6a994ef7ee1e07.jpg" } }