ShadowSilk is a Group-IB original discovery — and its defining characteristic is operational architecture that hadn’t been formally documented before. Group-IB analysts identified ShadowSilk in fall 2024 during the investigation of a series of government-targeted intrusions in Central Asia. When retrospective infrastructure analysis extended the campaign timeline back to 2023, it became clear that this group had been operating undetected for more than a year inside some of the region’s most sensitive government networks.
What sets ShadowSilk apart is its “binary union” model: operators from different geographic bases coordinate targeting, infrastructure, and tooling — deliberately distributing the kill chain across jurisdictions to complicate attribution and ensure operational resilience. If one node is disrupted, the other sustains campaigns. Forensic artifacts point to multiple jurisdictions simultaneously, making single-nation attribution structurally difficult by design. This is the first cross-border APT collaboration structure of this specific type formally designated and tracked by Group-IB.
With 34 confirmed victim organizations across 8 countries — and more than 200 additional identified targets — ShadowSilk is an active and evolving threat to Central Asian and APAC government entities, confirmed operational through at least July 2025. The group continued operations after public disclosure, demonstrating that exposure alone has not disrupted them.
Key Numbers:
— 34 confirmed victim organizations across 8 countries
— 200+ additional identified targets
— 1+ year undetected dwell time before discovery (active since 2023, discovered fall 2024)
— Continued operations post-disclosure, confirmed through July 2025
— 4 subclusters identified
Central Asia (primary) — Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, Turkmenistan. Asia-Pacific (secondary). Europe (CIS countries). Limited US targeting observed.
Long-running espionage operation spanning Kyrgyzstan, Uzbekistan, Tajikistan, Turkmenistan, Pakistan, and Myanmar. Dwell time exceeded one year before discovery — a hallmark of sophisticated APT operations designed for long-term persistent access.
Sustained government-targeted intrusion campaign spanning the full year.
Continued post-discovery activity targeting Tajikistan, Azerbaijan, Russia, and China — confirming operational resilience following public disclosure.
Group-IB’s public disclosure of ShadowSilk’s TTPs is intentionally limited to protect ongoing investigations. The following reflects what has been documented.
APT groups targeting government entities in Central Asia and APAC with this profile typically employ spear-phishing with weaponized documents, exploitation of public-facing government applications, and abuse of trust relationships between government agencies. ShadowSilk's binary union structure means operators in different regions can exploit local trust relationships and regional knowledge to gain initial access in their respective target zones.
Sustained undetected access since 2023 implies robust persistence mechanisms — likely scheduled tasks and registry modifications, DLL side-loading, and exploitation of legitimate administrative tools (living-off-the-land techniques). Lateral movement within government networks exploits typically flat or under-segmented public-sector IT architecture. Shared administrative credentials, centralized directory services, and inter-agency network connections all provide pathways for expansion.
The structural significance of the binary union model cannot be overstated. Most APT groups cluster around a single set of operators, a shared toolkit, or infrastructure tied to one geography. ShadowSilk's distributed model provides redundancy (one node sustains operations if another is disrupted), attribution complexity (forensic artifacts point to multiple jurisdictions simultaneously), and expanded access (operators in different regions exploit local knowledge in their respective target zones). Group-IB assesses this as a structural evolution other espionage actors may adopt given its advantages.
What makes ShadowSilk difficult to catch early is that the operators compartmentalize their infrastructure across borders, so no single government entity sees the full kill chain. Adversary-centric threat intelligence is what closes that gap — it lets analysts map the relationships between the binary components and attribute activity even when the tooling is split across separate jurisdictions.
to detect long-dwell intrusions before exfiltration. ShadowSilk's 1+ year undetected dwell time demonstrates that perimeter controls alone are insufficient.
ShadowSilk exploits inter-agency trust relationships and flat network architectures — segmentation limits lateral movement opportunities.
ShadowSilk's binary union model means no single entity sees the full kill chain in isolation — cross-agency correlation is essential.
baseline normal outbound data volumes and alert on deviations, particularly to unfamiliar external endpoints. Staged exfiltration will produce detectable anomalies in volume and destination patterns.
Avoid mass password resets or visible containment actions that signal awareness to the adversary — preserving the opportunity for intelligence-driven scoping of the full compromise.
ShadowSilk APT is a cross-border advanced persistent threat group discovered by Group-IB in fall 2024, targeting government organizations in Central Asia and the Asia-Pacific region for data exfiltration. The group operates through a “binary union” model — a collaborative cross-border operational structure where operators from different geographies coordinate targeting, infrastructure, and tooling. Group-IB is the original discoverer and primary tracker, with activity traced back to at least 2023.
The “binary union” designation indicates operators from multiple geographies coordinate campaigns collaboratively, sharing infrastructure, tooling, or access. This complicates attribution because forensic artifacts may point to multiple jurisdictions simultaneously. It also increases operational resilience: if one node is disrupted, the other sustains campaigns. Group-IB assesses this as the first formally documented cross-border APT collaboration structure of this type — and a potential template for other espionage actors given its attribution-evasion advantages.
Dark Pink, also tracked by Group-IB, operates as a more traditional single-cluster APT group targeting APAC government and military organizations. ShadowSilk’s binary union model distributes operations across geographies, meaning detection playbooks designed for single-origin actors may miss ShadowSilk’s cross-border coordination patterns. The structural difference has direct implications for defensive intelligence requirements.
The exfiltration of government data — potentially including diplomatic communications, policy documents, intelligence materials, and citizen records — carries severe strategic, national security, and economic consequences. For targeted Central Asian governments, the cost extends beyond technical remediation to include diplomatic fallout, intelligence compromise, and erosion of public trust in digital government infrastructure.
First, isolate affected systems covertly — avoid mass password resets or visible containment that signals awareness to the adversary, preserving the opportunity for intelligence-led scoping. Second, correlate observed indicators against ShadowSilk’s IOC feeds and campaign alerts to confirm attribution and determine the full scope of compromise. Third, immediately capture memory, network logs, and system artifacts before any remediation to support post-incident analysis, cross-agency intelligence sharing, and coordination with national CERTs.
Group-IB analysts assess that cross-border collaboration models will likely proliferate as threat actors recognize the attribution-evasion and resilience advantages demonstrated by ShadowSilk’s binary union structure. Government organizations in Central Asia and APAC should anticipate more geographically distributed APT operations that deliberately fragment their kill chains across jurisdictions to complicate response and attribution.
