virus logo Threat Signal Report

ShadowSilk Data Exfiltration Attack

What is the Attack?

Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB.
Group-IB’s investigation confirmed numerous victims within the Central Asian government sector. The findings underscore ShadowSilk’s heavy reliance on publicly available exploits, penetration-testing frameworks, and dark web–acquired infrastructure to carry out large-scale intrusions against strategic government targets.
ShadowSilk has been observed exploiting vulnerabilities in both Drupal Core and the WP-Automatic WordPress plugin to establish initial access. FortiGuard Labs’ network telemetry indicates ongoing threat actor activity and heightened interest in these attack vectors.
Compromised networks are then implanted with multiple web shells and utilities to enable lateral movement, privilege escalation, and the deployment of remote access trojans (RATs).

What is the recommended Mitigation?

The organizations using affected products are strongly recommended to:
• Review the official security bulletins and apply the latest security patches for CMS platforms such as Drupal and WordPress (including plugins like WP-Automatic).
• Monitor for any suspicious activity, Telegram bot traffic, and other C2 channels.

What FortiGuard Coverage is available?

• FortiGuard IPS protection is available to detect and block attacks related to CVE-2024-27956, CVE-2018-7600, and CVE-2018-7602.
• FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs).
• Antimalware and Sandbox Service delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
• The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

description-logoOutbreak Alert

FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs).

View the full Outbreak Alert Report

Additional Resources

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | Drupal.org
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004 | Drupal.org
Blog | Group-IB


Released Date Aug 28, 2025
Tags ShadowSilk Data Exfiltration Threat Signal Attack
CVE ID


Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »