Operation Peek-a-Baku is a targeted espionage campaign attributed to the Silent Lynx APT group, focusing on diplomatic and critical infrastructure targets in Central Asia, Russia, and China. The campaign comprises two main thrusts: one targeting Russia-Azerbaijan relations and another focusing on China-Central Asia relations. Silent Lynx employs a combination of malware tools including PowerShell scripts, .NET implants, and C++ reverse shells to establish persistence and enable remote control. Infection vectors primarily involve spear-phishing emails containing malicious attachments and payloads hosted on GitHub, which is leveraged to evade detection and facilitate payload delivery. The campaign targets government think-tanks, diplomats, and key industries such as mining, transport, and communications, aligning attacks with important diplomatic summits and meetings to maximize intelligence gathering. The group uses living-off-the-land techniques (e.g., PowerShell) and reverse shells to maintain stealth and persistence. Attribution is based on overlaps in tactics, techniques, and procedures (TTPs) with previous Silent Lynx operations, including use of tools like Ligolo-ng and SilentLoader. While no public exploits are known, the campaign’s sophistication and timing indicate a well-resourced actor focused on strategic intelligence collection rather than disruptive attacks. The absence of affected software versions and patches suggests the threat exploits social engineering and custom malware rather than software vulnerabilities. The campaign’s medium severity rating reflects its targeted espionage nature, potential for significant data compromise, but limited scope and no direct destructive impact.

For European organizations, the primary impact of Operation Peek-a-Baku lies in espionage and intelligence theft, particularly for entities involved in diplomatic relations, international trade, or sectors linked to mining, transport, and communications. Confidentiality of sensitive diplomatic communications and strategic economic information could be compromised, potentially undermining national security and economic interests. The campaign’s use of sophisticated malware and living-off-the-land techniques increases the risk of prolonged undetected presence, enabling extensive data exfiltration. Although the campaign currently focuses on Central Asia, Russia, and China, European diplomatic missions, think tanks, and companies with ties to these regions could be secondary targets or collateral victims. The timing around summits suggests attackers aim to gain intelligence advantages during critical negotiations or geopolitical events. Disruption to availability or integrity is less likely, but the loss of confidentiality alone can have severe strategic consequences. Additionally, the use of GitHub-hosted payloads and spear-phishing indicates that European organizations with less mature email and endpoint defenses may be vulnerable to initial compromise. Overall, the threat underscores the need for vigilance in protecting diplomatic and critical infrastructure sectors from advanced persistent threats with geopolitical motivations.

European organizations should implement targeted defenses against spear-phishing, including advanced email filtering, user awareness training focused on detecting malicious attachments and links, and strict policies on opening unsolicited emails. Monitoring and restricting PowerShell usage and other scripting environments can reduce the risk of living-off-the-land exploitation; enable logging and alerting on suspicious PowerShell commands and network connections. Network segmentation and strict egress filtering can limit the ability of reverse shells to communicate with external command and control servers. Since attackers use GitHub-hosted payloads, organizations should monitor and restrict downloads from external code repositories and implement application whitelisting where feasible. Endpoint detection and response (EDR) solutions should be tuned to detect .NET implants and unusual process behaviors. Regular threat hunting exercises focusing on indicators of compromise related to Silent Lynx TTPs (e.g., Ligolo-ng, SilentLoader) can help identify early signs of intrusion. Diplomatic and critical infrastructure entities should coordinate with national cybersecurity centers for threat intelligence sharing and incident response support. Finally, maintaining up-to-date backups and incident response plans tailored to espionage scenarios will aid in rapid containment and recovery if compromise occurs.