Outbreak Alert

ShadowSilk Data Exfiltration Attack

Released: Sep 12, 2025

ShadowSilk Data Exfiltration Attack Tags

High Severity

WordPress Vendor

Watch Video

Targeted data-exfiltration campaign

FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). Learn More »

Common Vulnerabilities and Exposures

Background

ShadowSilk is an advanced persistent threat (APT) group active since at least 2023. The group has targeted nearly three dozen organizations across Central Asia and the Asia-Pacific region, with a particular focus on government entities.

Investigations by Group-IB confirmed numerous victims within the Central Asian government sector. ShadowSilk operations are characterized by the use of publicly available exploits, penetration-testing frameworks, and infrastructure sourced from the dark web to facilitate large-scale data exfiltration campaigns.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

FortiGuard customers are protected by multiple layers of defense against these exploits. However, immediate patching of affected system is strongly advised, if not done already. The FortiGuard Incident Response is available to assist with investigation and remediation in cases of suspected compromise.

August 28, 2025: FortiGuard Labs published a Threat Signal Report.
https://www.fortiguard.com/threat-signal-report/6190/shadowsilk-data-exfiltration-attack
August 27, 2025: In June 2025 Group-IB observed renewed activity and new infrastructure, identified additional government victims in Central Asia, and collected new IOCs.
https://www.group-ib.com/blog/shadowsilk/

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

PROTECT

AV
AV (Pre-filter)
Behavior Detection
IPS
Botnet C&C

DETECT

IOC
Outbreak Detection
Threat Hunting

RESPOND

Automated Response
Assisted Response Services

RECOVER

NOC/SOC Training
End-User Training

IDENTIFY

Vulnerability Management
Attack Surface Monitoring (Inside & Outside)
Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.

References

Sources of information in support and relation to this Outbreak and vendor.

SA-CORE-2018-002

Learn More »

SA-CORE-2018-004

Learn More »

Group-IB ShadowSilk Blog

Learn More »

WPScan Blog

Learn More »

Automatic Unauthenticated SQL Injection

Learn More »

About FortiGuard Outbreak Alerts

Learn More »

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

Outbreak Alert

ShadowSilk Data Exfiltration Attack

Targeted data-exfiltration campaign

Common Vulnerabilities and Exposures

Background

Real-Time Threat Map

Latest Development

FortiGuard Cybersecurity Framework

Threat Intelligence

References

SA-CORE-2018-002

SA-CORE-2018-004

Group-IB ShadowSilk Blog

WPScan Blog

Automatic Unauthenticated SQL Injection

About FortiGuard Outbreak Alerts

Threat Intelligence
Center