🇰🇿

Silent Lynx

APT Group Information theft and espionage 8 zero-day CVEs ETDA ✓

Also Known As 9 names

Sturgeon Phisher Comrade Saiga YoroTrooper Salted Earth ShadowSilk Cavalry Werewolf Sturgeon Fisher SturgeonPhisher Silent Lynx

Target Countries 21

Countries highlighted in red

Australia Azerbaijan Brazil Canada China Colombia Germany France India Japan Kyrgyzstan Kazakhstan Panama Russian Federation Singapore Thailand Tajikistan Turkmenistan Turkey United States Uzbekistan

Sectors Targeted

Financial Government Energy

Details

Origin 🇰🇿 KZ

Last Updated 23 Jan 2025

MITRE ATT&CK 50

T1007 - System Service Discovery T1007-System Service Discovery T1012 - Query Registry T1012-Query Registry T1016 - System Network Configuration Discovery T1016-System Network Configuration Discovery T1018 - Remote System Discovery T1018-Remote System Discovery T1027 - Obfuscated Files or Information T1033 - System Owner/User Discovery T1036 - Masquerading T1041 - Exfiltration Over C2 Channel T1046 - Network Service Scanning T1046-Network Service Discovery T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1056 - Input Capture T1056.001-Input Capture T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.001-Command and Scripting Interpreter T1071 - Application Layer Protocol T1078 - Valid Accounts T1078.002-Valid Accounts T1083 - File and Directory Discovery T1083-File and Directory Discovery T1087 - Account Discovery T1087-Account Discovery T1095 - Non-Application Layer Protocol T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1127 - Trusted Developer Utilities Proxy Execution T1134 - Access Token Manipulation T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1204.002-User Execution T1547 - Boot or Logon Autostart Execution T1547.001-Registry Run Keys T1552 - Unsecured Credentials T1552.001-Unsecured Credentials T1560 - Archive Collected Data T1560.001-Archive Collected Data T1566 - Phishing T1566.001 - Spearphishing Attachment T1567 - Exfiltration Over Web Service T1567.002-Exfiltration to Cloud Storage T1589 - Gather Victim Identity Information T1589.002-Gather Victim Identity Information

Related Zero-Days 8

CVE-2024-53104 CVE-2025-0411 CVE-2025-0994 CVE-2025-13223 CVE-2025-4427 CVE-2025-4428 CVE-2025-49704 CVE-2025-58034

Known Names 2 entries

YoroTrooper Talos

Silent Lynx Seqrite

Observed Target Countries 6

Based on ETDA data — countries highlighted in red

Azerbaijan Kyrgyzstan Tajikistan Turkey Turkmenistan Europe

Description

(Talos) Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022. YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies. Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.

Tools Used 4

Loda Meterpreter Stink Warzone RAT

Reports & References 3

https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/ https://blog.talosintelligence.com/attributing-yorotrooper/ https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/

ETDA Profile

YoroTrooper

Origin

Kazakhstan

First Seen 2022

Motivation

Information theft and espionage

View on ETDA APT Groups ↗