Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

SUMMARY :

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used various malware tools including PowerShell scripts, .NET implants, and C++ reverse shells. They leveraged spear-phishing emails with malicious attachments and GitHub-hosted payloads. Key targets included government think-tanks, diplomats, and entities in mining, transport and communication industries. The campaigns coincided with important summits and meetings between the targeted countries. Attribution was based on similarities in tactics, tools, and victimology to previous Silent Lynx operations.

OPENCTI LABELS :

tajikistan,github,reverse shell,china,apt,powershell,espionage,russia,central asia,azerbaijan,silentsweeper,silent loader,ligolo-ng,laplas


AI COMMENTARY :

1. Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign unveils the latest wave of cyber espionage orchestrated by the Silent Lynx group. This threat actor has steadily sharpened its focus on Central Asia, specifically targeting diplomatic missions and critical infrastructure in Tajikistan’s capital, Dushanbe. By tracing the group’s activity back to earlier operations in Russia and China, researchers have uncovered a pattern of sophisticated intrusions that exploit geopolitical tensions and leverage custom malware to infiltrate high-value networks.

2. The Silent Lynx espionage campaigns unfolded in two principal theatres of operation. The first campaign centered on Russia-Azerbaijan relations, leveraging key political events to send tailor-made spear-phishing emails. The second campaign targeted China-Central Asia relations, coinciding with major regional summits. In each case, the group timed its attacks to align with diplomatic meetings, allowing it to capitalize on the heightened communication between embassies, think tanks, and government officials.

3. A versatile arsenal powered these intrusions. Analysts documented the use of PowerShell scripts that established initial footholds, .NET implants designed for persistent data exfiltration, and C++ reverse shells built on the Ligolo-NG framework. Payloads were deployed through GitHub-hosted repositories, enabling Silent Lynx to deliver malicious binaries under the guise of legitimate open-source projects. The group’s SilentLoader and SilentSweeper tools automated reconnaissance and lateral movement once inside compromised networks.

4. Spear-phishing remained the primary delivery vector. Attackers crafted emails with contextual relevance to target interests, embedding malicious attachments or links that pointed to GitHub content repositories. Upon execution on a victim’s machine, these files triggered scripts that reached out to remote command-and-control servers. Custom reverse shells provided operators with interactive access, while stealthy loaders injected further payloads into memory to evade endpoint defenses.

5. Silent Lynx singled out government think-tanks, diplomatic missions, and entities operating in the mining, transport, and communication industries. In Tajikistan, mining companies and private rail operators were compromised alongside embassy staff. In Russia and China, diplomatic backchannels and academic research departments provided rich sources of intelligence. Victimology across all campaigns revealed the group’s preference for organizations that influence geopolitical decision-making or manage critical infrastructure.

6. The timing of the attacks was no coincidence. Researchers noted that each wave coincided with bilateral summits between Russia and Azerbaijan or China and Central Asian states. By executing espionage operations during these high-level meetings, Silent Lynx maximized the value of intercepted communications, gaining insight into negotiation positions and regional policy deliberations.

7. Attribution to the Silent Lynx APT group is grounded in consistent TTPs and shared malware families. The reuse of PowerShell backdoors, .NET implants bearing similar command protocols, and the Ligolo-NG based reverse shell echoed patterns from past operations linked to this actor. Additionally, unique code strings within SilentLoader and the operational cadence aligned with previously documented Silent Lynx campaigns in Europe and the Middle East.

8. Operation Peek-a-Baku underscores the evolving threat landscape in Central Asia and beyond. As geopolitical rivalries intensify, state-sponsored groups like Silent Lynx will continue to refine their methods, merging open-source infrastructure with bespoke malware. Organizations operating in diplomatic, critical infrastructure, and strategic industries must bolster email defenses, monitor unusual repository access on platforms like GitHub, and implement robust endpoint protections to detect and disrupt these advanced espionage operations.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign