3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Silent Librarian

Silent Librarian

ID: 16b21ea2f71d6aa5b4cf4e1c65e76d0489339
Cybercrime State-Sponsored
Threat types: Credential Theft, Intrusion, Data Theft
Iran UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
TA407
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). Ref: https://attack.mitre.org/groups/G0122/


Technique Technique name Tactics Evidence
T1110.003 Password Spraying TA0006
  • Brute Force: Password Spraying - Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets. · ref
T1114.003 Email Forwarding Rule TA0009
  • Email Forwarding Rule - Silent Librarian has set up auto forwarding rules on compromised e-mail accounts. · ref
T1583.001 Domains TA0042
  • Acquire Infrastructure: Domains - Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ. · ref
T1585.002 Email Accounts TA0042
  • Establish Accounts: Email Accounts - Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations. · ref
T1588.004 Digital Certificates TA0042
  • Obtain Capabilities: Digital Certificates - Silent Librarian has obtained free Let's Encrypt SSL certificates for use on their phishing pages. · ref
T1589.002 Email Addresses TA0043
  • Gather Victim Identity Information: Email Addresses - Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches. · ref
T1589.003 Employee Names TA0043
  • Gather Victim Identity Information: Employee Names - Silent Librarian has collected lists of names for individuals from targeted organizations. · ref
T1598.003 Spearphishing Link TA0043
  • Phishing for Information: Spearphishing Link - Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page. · ref
T1608.005 Link Target TA0042
  • Stage Capabilities: Link Target - Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.