ShadowSilk: A Cross-Border Binary Union for Data Exfiltration

ShadowSilk is an active APT cluster (since at least 2023, active as of July 2025) targeting government organizations across Central Asia and the broader APAC region for data exfiltration. Group-IB links ShadowSilk to YoroTrooper tooling and infrastructure, identifies Chinese- and Russian-speaking subgroups, and documents a diverse toolkit (Telegram-based C2, PowerShell loaders, Cobalt Strike/Metasploit, webshells, purchased RAT/web panels) along with IOCs and mitigation recommendations.