Operation Peek-a-Baku: Silent Lynx APT Makes Sluggish Shift to Dushanbe

    Wednesday, November 5, 2025 In: Threat Research Print

    Date: 11/05/2025

    Severity: High

    Summary

    Silent Lynx is an espionage-driven APT group known for spear-phishing campaigns impersonating government officials to target Central Asian, Russian, and Southeast Asian entities. Recent analysis shows the group’s slow tactical evolution, using fake RAR archives and malicious .NET implants, while making operational errors that exposed new infrastructure. The latest activity centers on Azerbaijan-Russia relations and China-Central Asia targets, with evidence pointing to a gradual shift in operations toward Dushanbe.

    Indicators of Compromise (IOC) List

    URLs/Domains

    updates-check-microsoft.ddns.net

    catalog-update-update-microsoft.serveftp.com

    http://206.189.11.142/

    IP Address

    62.113.66.137

    62..113.66.7

    37.18.27.27

    Hash

    ef627bad812c25a665e886044217371f9e817770b892f65cff5877b02458374e

    5b58133de33e818e082a5661d151326bce5eeddea0ef4d860024c1dbb9f94639

    5bae9c364ee4f89af83e1c7d3d6ee93e7f2ea7bd72f9da47d78a88ab5cfbd5d4

    72a36e1da800b5acec485ba8fa603cd2713de4ecc78498fcb5d306fc3e448c7b

    5e3533df6aa40e86063dd0c9d1cd235f4523d8a67d864aa958403d7b3273eaaf

    b58f672e7fe22b3a41b507211480c660003823f814d58c04334ca9b7cdd01f92

    ae51aef21ea4b422ef0c7eb025356e45d1ce405d66afbb3f6479d10d0600bcfd

    0bce0e213690120afc94b53390d93a8874562de5ddcc5511c7b9b9d95cf8a15d

    821f1ee371482bfa9b5ff1aff33705ed16e0147a9375d7a9969974c43b9e16e8

    262f9c63c46a0c20d1feecbd0cad75dcb8f731aa5982fef47d2a87217ecda45b

    123901fa1f91f68dacd9ec972e2137be7e1586f69e419fc12d82ab362ace0ba9

    6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8

    97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216

    9de8bbc961ff450332f40935b739d6d546f4b2abf45aec713e86b37b0799526d

    b5a4f459bdff7947f27474840062cfce14ee2b1a0ef84da100679bc4aa2fcf77

    ffda4f894ca784ce34386c52b18d61c399eb2fc8c9af721933a5de1a8fff9e1b

    2c8efe6eb9f02bf003d489e846111ef3c6cab32168e6f02af7396e93938118dd

    1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3

    67cf0e32ad30a594442be87a99882fa4ac86494994eee23bdd21337adb804d3f

    036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959

    32035c9d3b81ad72913f8db42038fcf6d95b51d4d84208067fe22cf6323f133c

    a639a9043334dcd95e7cd239f8816851517ebb3850c6066a4f64ac39281242a3

    a83a8eb3b522c4517b8512f7f4e9335485fd5684b8653cde7f3b9b65c432fa81

    26aca51d555a0ea6d80715d8c6a9f49fea158dee11631735e16ea75c443a5802

    303f03ae338fddfe77c6afab496ea5c3593d7831571ce697e2253d4b6ca8a69a

    40d4d7b0bc47b1d30167dd7fc9bd6bd34d99b8e0ae2c4537f94716e58e7a5aeb

    b0ac155b99bc5cf17ecfd8d3c26037456bc59643344a3a30a92e2c71c4c6ce8d

    b87712a6eea5310319043414eabe69462e12738d4f460e66a59c3acb5f30e32e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "catalog-update-update-microsoft.serveftp.com" or siteurl like "catalog-update-update-microsoft.serveftp.com" or url like "catalog-update-update-microsoft.serveftp.com" or domainname like "http://206.189.11.142/" or siteurl like "http://206.189.11.142/" or url like "http://206.189.11.142/" or domainname like "updates-check-microsoft.ddns.net" or siteurl like "updates-check-microsoft.ddns.net" or url like "updates-check-microsoft.ddns.net"

    Detection Query 2 :

    dstipaddress IN ("37.18.27.27","62.113.66.137","62..113.66.7") or srcipaddress IN ("37.18.27.27","62.113.66.137","62..113.66.7")

    Detection Query 3 :

    sha256hash IN ("5b58133de33e818e082a5661d151326bce5eeddea0ef4d860024c1dbb9f94639","1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3","ffda4f894ca784ce34386c52b18d61c399eb2fc8c9af721933a5de1a8fff9e1b","2c8efe6eb9f02bf003d489e846111ef3c6cab32168e6f02af7396e93938118dd","5bae9c364ee4f89af83e1c7d3d6ee93e7f2ea7bd72f9da47d78a88ab5cfbd5d4","303f03ae338fddfe77c6afab496ea5c3593d7831571ce697e2253d4b6ca8a69a","6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8","ae51aef21ea4b422ef0c7eb025356e45d1ce405d66afbb3f6479d10d0600bcfd","b87712a6eea5310319043414eabe69462e12738d4f460e66a59c3acb5f30e32e","a639a9043334dcd95e7cd239f8816851517ebb3850c6066a4f64ac39281242a3","26aca51d555a0ea6d80715d8c6a9f49fea158dee11631735e16ea75c443a5802","0bce0e213690120afc94b53390d93a8874562de5ddcc5511c7b9b9d95cf8a15d","a83a8eb3b522c4517b8512f7f4e9335485fd5684b8653cde7f3b9b65c432fa81","5e3533df6aa40e86063dd0c9d1cd235f4523d8a67d864aa958403d7b3273eaaf","9de8bbc961ff450332f40935b739d6d546f4b2abf45aec713e86b37b0799526d","72a36e1da800b5acec485ba8fa603cd2713de4ecc78498fcb5d306fc3e448c7b","ef627bad812c25a665e886044217371f9e817770b892f65cff5877b02458374e","67cf0e32ad30a594442be87a99882fa4ac86494994eee23bdd21337adb804d3f","b58f672e7fe22b3a41b507211480c660003823f814d58c04334ca9b7cdd01f92","97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216","123901fa1f91f68dacd9ec972e2137be7e1586f69e419fc12d82ab362ace0ba9","821f1ee371482bfa9b5ff1aff33705ed16e0147a9375d7a9969974c43b9e16e8","262f9c63c46a0c20d1feecbd0cad75dcb8f731aa5982fef47d2a87217ecda45b","b5a4f459bdff7947f27474840062cfce14ee2b1a0ef84da100679bc4aa2fcf77","036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959","32035c9d3b81ad72913f8db42038fcf6d95b51d4d84208067fe22cf6323f133c","40d4d7b0bc47b1d30167dd7fc9bd6bd34d99b8e0ae2c4537f94716e58e7a5aeb","b0ac155b99bc5cf17ecfd8d3c26037456bc59643344a3a30a92e2c71c4c6ce8d")

    Reference:

    https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/


    Tags

    China-Central AsiaDushanbeTajikistanThreat ActorSilent LynxCyber EspionagePeek-a-BakuAPTPhishingSpear PhishingCentral AsiaRussiaSoutheast AsiaCritical InfrastructureAzerbaijan-Russia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.