3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Silence

Silence

ID: 880a7ef20988e107cb918e73bd969bd165408
Cybercrime Cybercriminal
Threat types: Intrusion, Financial Theft, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. Ref: https://attack.mitre.org/groups/G0091/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Silence has used RDP for lateral movement. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - Silence has used environment variable string substitution for obfuscation. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Silence has named its backdoor "WINWORD.exe". · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Silence has used scheduled tasks to stage its operation. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Silence has used PowerShell to download and execute payloads. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Silence has used Windows command-line to run commands. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Silence has used VBS scripts. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Silence has used JS scripts. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Silence attempts to get users to launch malicious attachments delivered via spearphishing emails. · ref
T1218.001 Compiled HTML File TA0005
  • System Binary Proxy Execution: Compiled HTML File - Silence has weaponized CHM files in their phishing campaigns. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot). · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. · ref
T1569.002 Service Execution TA0002
  • System Services: Service Execution - Silence has used Winexe to install a service on the remote system. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Silence has obtained and modified versions of publicly-available tools like Empire and PsExec. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.