Break the silence: tracking Silent Lynx through exposed infrastructure

Wednesday 14 October 17:00 - 17:30, Green room    

Julian Ferdinand Vögele (Recorded Future) & Chi-en (Ashley) Shen (Cisco Talos)

Silent Lynx is a persistent threat actor conducting targeted intrusion campaigns against government ministries, diplomatic missions, and civil society organizations across Central Asia since at least 2024. The group maintains a strong focus on high-value public sector organizations in the Commonwealth of Independent States (CIS), frequently leveraging spear-phishing campaigns conducted through compromised government email accounts and on malware staging through trusted public services such as GitHub to increase credibility and infection success rates.

This talk delivers a deep technical analysis of Silent Lynx's operations and infrastructure evolution from late 2024 through 2026. We detail newly uncovered infrastructure components leveraged in previously undisclosed activities, including exposed open directories, newly registered DDNS domains, and a GitHub repository associated with an operator-controlled persona, providing new visibility into the group's staging workflows, malware delivery chain and tooling development practice. In addition, we examine elements of higher-tier management infrastructure, shedding light on how the group may orchestrate campaigns and maintain control across a distributed operational environment.

We further analyse newly identified tools, payloads, and TTPs, illustrating how Silent Lynx continues to iterate on its intrusion lifecycle to evade detection and improve operational resilience. Notably, we observe an expanding focus on Linux-based systems, signalling broadening targeting strategy. This evolution is accompanied by evidence suggesting interest in exploiting vulnerabilities such as Fortinet CVE-2025-25257, alongside the adoption of new techniques and multilingual artifacts that offer clues into the group's operational maturity and possible origins. Throughout the presentation, we explore the enduring attribution challenges surrounding Silent Lynx and the potential overlapping with YoroTrooper, highlighting the increasingly blurred boundaries between threat clusters in this space. We conclude with an assessment of the group's trajectory and provide practical detection and hunting guidance for defenders seeking to identify, attribute, and disrupt these evolving operations.

Julian-Ferdinand Vögele Julian-Ferdinand is a principal threat researcher at Recorded Future's Insikt Group, specialising in malware analysis and infrastructure detection. He investigates cybercriminal, state-sponsored, and mercenary spyware operations. He previously worked in offensive security, studied computer science, and is a Virtual Routes fellow.

Chi-en Shen Chi-en Shen (Ashley) is a security researcher at Cisco Talos, specializing in emerging threats including APTs, financially motivated crimes, spyware, and mercenary group exploitation. Previously, she worked at Google Threat Analysis Group focusing on zero-day exploit hunting and botnet tracking, and at Mandiant tracking APT groups across APAC. Passionate about supporting women in InfoSec, she co-founded HITCON GIRLS, Taiwan's first security community for women, and organizes Rhacklette in Switzerland. She serves on the review boards for Black Hat Asia, Hack in the Box, and HITCON, and has spoken at Black Hat, HITCON, FIRST, and CODE BLUE. @ashl3y_shen @ashl3y-shen.bsky.social ashley-shen

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers