Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Malicious RAR archives sent as spear-phishing attachments to deliver LNK and executable stagers (“malicious RAR archive known as План развитие стратегического сотрудничества.pdf.rar”).
• [T1204.001 ] User Execution: Malicious Link – LNK shortcuts executed by victims to launch PowerShell and download remote scripts (“the RAR file contained a malicious LNK … abuse the powershell.exe binary to download and execute a malicious PowerShell file”).
• [T1204.002 ] User Execution: Malicious File – Victims executed delivered malicious executables and scripts (silent_loader.exe, laplas.exe, SilentSweeper .NET executable) that spawn processes to run payloads (“silent_loader.exe … passes the command line as an argument to CreateProcessW API”).
• [T1106 ] Native API (CreateProcess / CreateProcessW) – Loaders used CreateProcessW/CreateProcess to launch PowerShell or cmd.exe from decoded strings (“passed as a parameter to CreateProcess API”; “CreateProcessW API”).
• [T1053.005 ] Scheduled Task/Job: Windows Task Scheduler – Attackers created a scheduled task named WindowsUpdate to achieve persistence, running downloaded scripts every six minutes (“creates a scheduled task called WindowsUpdate … /sc minute /mo 6”).
• [T1059.001 ] PowerShell – PowerShell scripts and Base64-encoded blobs used to implement reverse shells and payload execution (“Base64 encoded malicious blob executed via powershell … downloads two helper scripts … WindowsUpdateService.ps1”).
• [T1027 ] Obfuscated Files or Information – Use of Base64-encoded blobs and encoded script payloads to hide final-stage behavior (“usage of Base64 encoded malicious blob executed via powershell”; “contains an encoded blob, which further upon decoding … resembles the exact final-stager reverse-shell”).
• [T1036 ] Masquerading – Filenames and task names mimicked legitimate items (Plan for the Development of Strategic Cooperation PDF, WindowsUpdate task) to blend with legitimate content (“Plan … .pdf.rar”; “scheduled task called WindowsUpdate”).
• [T1071 ] Application Layer Protocol (HTTPS / Web protocols) – Downloading payloads from GitHub and hosting domains over HTTP/HTTPS to stage components (“PowerShell file from a GitHub Repository known as GoBuster777”; C2 and hosting URLs listed).
• [T1095 ] Non-Application Layer Protocol (raw TCP / custom C2) – Custom TCP-based reverse shells connected directly to C2 ports (Laplas TCP reverse shell to port 443) (“quick TCP-based reverse shell that connects to 206.189.11.142:443”; “./laplas.exe “).
• [T1071 / T109 ] Tunneling / Proxy (use of Ligolo-ng) – Use of Ligolo-ng for tunnelled connectivity and proxying to reach internal networks and relay command and control (“threat actor also deployed the open-source tunneler Ligolo-ng alongside the PowerShell-based reverse shell”).
• [T1041 / T1071 ] Exfiltration over C2 channel / Application layer – Use of established C2 channels (reverse shells and tunneled sessions) to send command outputs and potentially exfiltrate data (“reads text commands … executes them … writes the output back over the same connection”; exfiltration over C2 mentioned).