Operation Peek-a-Baku Silent Lynx APT makes sluggish shift to Dushanbe
Seqrite Labs’ APT Team was the first to assign the nomenclature “Silent Lynx” to the threat group. Prior & later to this, multiple researchers had identified the initial campaigns and referred to the group by various names, including YoroTrooper, Sturgeon Phisher, Cavalry Werewolf, ShadowSilk, and others. Since we were the first to uncover and track these campaigns under that naming convention, we have continued to refer to the group as Silent Lynx to maintain consistency and avoid confusion caused by multiple overlapping aliases.
In this blog, we’ll explore how we identified the same group, making sluggish changes in terms of deploying stagers and making small OPSEC blunders that have led us to identify campaigns across entities targeting the Azerbaijan-Russia relationship with fake RAR archives. This group has also been targeting China-Central Asian entities with a malicious .NET implant. We believe that the sole purpose of the group is purely espionage done in a hasty manner, which leaves a lot of blunders that led this current research to multiple findings. We will also look at the infrastructure covering multiple campaigns and implants uncovered during the phase of research.