Silence Lynx Using Power Shell, Golang, and C++ Washers in Multi-Stage Attacks

Feb 05, 2025Ravie LakshmananThreat Intelligence / Malware

A previously undocumented risk actor known as Silent Lynx has been linked to cyberattacks that target different organizations in Kyrgyzstan and Turkmenistan.

In a complex report released late last month, Seqrite Labs scientist Subhajeet Singha stated that” this threat group has recently targeted entities around Eastern Europe and Central Asian authorities think tanks” involved in the banking and financial decision-making industries.

Goals of the hackers group’s attacks include diplomats, lawyers, government-backed banks, and suppose tanks. It has been assessed to be a Kazakhstan-origin risk artist with a moderate level of confidence.

spear-phishing emails that contain a RAR archive attachment serve as delivery points for harmful payloads responsible for granting remote access to the affected hosts.

The first of the two campaigns, detected by the security organization on December 27, 2024, leverages the RAR archives to build an ISO file that, in turn, includes a destructive C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that uses Telegram bots ( named” @south_korea145_bot” and” @south_afr_angl_bot” ) for command execution and data exfiltration.

The bots ‘ curl instructions for downloading and saving additional cargo from a remote server are some examples of the commands that are executed. com” ) or Google Drive.

The other campaign, in contrast, employs a malicious RAR archive containing two files: A decoy PDF and a Golang executable, the latter of which is designed to establish a reverse shell to an attacker-controlled server ( “185.122.171 [. ] 22: 8082” ).

According to Seqrite Labs, the threat actor and ( also known as SturgeonPhisher ) have tactical overlaps, which have been linked to attacks using Golang and PowerShell against Commonwealth of Independent States ( CIS ) nations.

” Silent Lynx’s efforts demonstrate a superior multi-stage assault strategy using ISO data, C++ washers, PowerShell code, and Golang implants”, Singha said.

Their emphasis on Telegram machines for command and control, combined with fake documents and regional targeting, also highlights their focus on spying in Central Asia and SPECA-based nations.

Found this article interesting? Follow us on and Twitter to access more exclusive content we post.

Leave a Comment