A series of cyber-attacks against government organizations in Central Asia and the Asia-Pacific has been linked to a threat cluster known as ShadowSilk, according to new research by Group-IB.
The activity, which began in 2023 and remains active as of July 2025,shows clear connections to operations previously attributed to the group YoroTrooper.What’s new now is the scale and makeup of the campaign.
Group-IB’s investigation, supported by CERT-KG, revealed at least 35 government victims and uncovered fresh infrastructure, new tools and evidence pointing to a dual operator base of both Russian and Chinese speakers.
The researchers stress that ShadowSilk’s primary objective in every observed case is data theft, with data stolen by the group appearing for sale on dark web forums.
Tools and Tactics
ShadowSilk was observed deploying a wide-ranging arsenal of exploits, penetration-testing tools and custom malware.
Researchers observed its use of Telegram bots as a command-and-control (C2) channel, enabling attackers to issue commands, exfiltrate data and disguise malicious activity as ordinary messenger traffic.
Web panels such as JRAT and Morf Project, purchased from underground forums, were used to manage infected devices.
The group also relied on phishing emails carrying password-protected archives to gain initial access.
Once victims executed the payload, their systems were compromised, allowing attackers to deploy additional tools such as Cobalt Strike and Metasploit for reconnaissance, persistence and credential harvesting.
Russian and Chinese Operators
Server analysis showed Russian keyboard layouts and typos in commands, alongside test activity suggesting malware development by Russian-speaking operators.
Meanwhile, screenshots of attacker workstations revealed Chinese-language vulnerability tools and visits to Central Asian government websites, pointing to the involvement of Chinese speakers.
Group-IB researchers concluded that ShadowSilk is not simply a continuation of YoroTrooper, but a distinct threat cluster with shared roots.
“ShadowSilk continues to focus on the government sector in Central Asia and the broader APAC region, underscoring the importance of monitoring its infrastructure to prevent long-term compromise and data exfiltration,”the report said, noting that the group’s operations remain ongoing.
Security Recommendations
Experts advise thatorganizationsuse strong email protection measures to prevent initial compromise through spear-phishing emails, and closely observe the use of commands and built-in tools often leveraged to collect system and file information.
They also recommend combining strict application control, regular patching and high-fidelity MXDR analytics tuned to known malware artefacts.
Finally, security teams shouldensure their defenses enable proactive threat hunting to uncover threats that cannot be detected automatically, as well asregularly monitordark web forums and data leak sources to better assess their organization’s overall security posture.