Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

Nov. 3, 2025, 8:15 p.m.

Description

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used various malware tools including PowerShell scripts, .NET implants, and C++ reverse shells. They leveraged spear-phishing emails with malicious attachments and GitHub-hosted payloads. Key targets included government think-tanks, diplomats, and entities in mining, transport and communication industries. The campaigns coincided with important summits and meetings between the targeted countries. Attribution was based on similarities in tactics, tools, and victimology to previous Silent Lynx operations.

External References

https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/
https://otx.alienvault.com/pulse/6908b60c924632fc25bf0506
Tags
apt
espionage
powershell
russia
china
github
reverse shell
central asia
tajikistan
2025-11-03
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng

Date

  • Created: Nov. 3, 2025, 2:02 p.m.
  • Published: Nov. 3, 2025, 2:02 p.m.
  • Modified: Nov. 3, 2025, 8:15 p.m.

Indicators

  • ffda4f894ca784ce34386c52b18d61c399eb2fc8c9af721933a5de1a8fff9e1b
  • ef627bad812c25a665e886044217371f9e817770b892f65cff5877b02458374e
  • b87712a6eea5310319043414eabe69462e12738d4f460e66a59c3acb5f30e32e
  • b5a4f459bdff7947f27474840062cfce14ee2b1a0ef84da100679bc4aa2fcf77
  • b0ac155b99bc5cf17ecfd8d3c26037456bc59643344a3a30a92e2c71c4c6ce8d
  • b58f672e7fe22b3a41b507211480c660003823f814d58c04334ca9b7cdd01f92
  • ae51aef21ea4b422ef0c7eb025356e45d1ce405d66afbb3f6479d10d0600bcfd
  • a83a8eb3b522c4517b8512f7f4e9335485fd5684b8653cde7f3b9b65c432fa81
  • 9de8bbc961ff450332f40935b739d6d546f4b2abf45aec713e86b37b0799526d
  • a639a9043334dcd95e7cd239f8816851517ebb3850c6066a4f64ac39281242a3
  • 97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216
  • 821f1ee371482bfa9b5ff1aff33705ed16e0147a9375d7a9969974c43b9e16e8
  • 72a36e1da800b5acec485ba8fa603cd2713de4ecc78498fcb5d306fc3e448c7b
  • 6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8
  • 67cf0e32ad30a594442be87a99882fa4ac86494994eee23bdd21337adb804d3f
  • 5e3533df6aa40e86063dd0c9d1cd235f4523d8a67d864aa958403d7b3273eaaf
  • 5bae9c364ee4f89af83e1c7d3d6ee93e7f2ea7bd72f9da47d78a88ab5cfbd5d4
  • 40d4d7b0bc47b1d30167dd7fc9bd6bd34d99b8e0ae2c4537f94716e58e7a5aeb
  • 5b58133de33e818e082a5661d151326bce5eeddea0ef4d860024c1dbb9f94639
  • 303f03ae338fddfe77c6afab496ea5c3593d7831571ce697e2253d4b6ca8a69a
  • 32035c9d3b81ad72913f8db42038fcf6d95b51d4d84208067fe22cf6323f133c
  • 2c8efe6eb9f02bf003d489e846111ef3c6cab32168e6f02af7396e93938118dd
  • 26aca51d555a0ea6d80715d8c6a9f49fea158dee11631735e16ea75c443a5802
  • 1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3
  • 262f9c63c46a0c20d1feecbd0cad75dcb8f731aa5982fef47d2a87217ecda45b
  • 123901fa1f91f68dacd9ec972e2137be7e1586f69e419fc12d82ab362ace0ba9
  • 0bce0e213690120afc94b53390d93a8874562de5ddcc5511c7b9b9d95cf8a15d
  • 036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959
  • 62.113.66.7
  • 37.18.27.27
  • 62.113.66.137
  • updates-check-microsoft.ddns.net
  • catalog-update-update-microsoft.serveftp.com
Download all indicators here!

Attack Patterns

  • Ligolo-ng
  • LAPLAS
  • SilentSweeper
  • SILENT LOADER
  • Silent Lynx

Additional Informations

  • Mining
  • Transportation
  • Telecommunications
  • Government
  • Turkmenistan
  • Kyrgyzstan
  • Tajikistan
  • Azerbaijan
  • Uzbekistan
  • China
  • Kazakhstan
  • Russian Federation