G0083: SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
Analyst context for executives and security teams
SilverTerrier matters because MITRE identifies it as a financially motivated Nigerian threat group observed since 2014, with reported targeting of high technology, higher education, and manufacturing. The ATT&CK relationships tie the group to commodity remote access tools, spyware, information stealers, command-and-control over common protocols, and financial theft. For leaders, the practical issue is not a single exotic technique; it is whether email, endpoint, identity, and network controls can prevent or rapidly contain common malware-enabled fraud and credential theft workflows.
Executive priority
Prioritize this as a resilience and fraud-readiness concern where the business has exposed email workflows, payment approval processes, research or manufacturing operations, or credential-heavy SaaS usage. Executives should ask whether finance, procurement, and executive-assistant workflows have enforceable verification controls; whether SOC and incident response teams can investigate commodity RAT or infostealer activity; and whether audit evidence exists for email security, MFA, endpoint monitoring, and payment-change governance. The ATT&CK object does not provide current activity or victim exposure, so priority should be based on local sector relevance and control gaps.
Technical view
ATT&CK provides no group-level detection text, platforms, or tactics, so validation should be relationship-driven. SilverTerrier is linked to NETWIRE, Agent Tesla, DarkComet, NanoCore, and Lokibot, along with command-and-control over web, file transfer, and mail protocols and financial theft. SOC teams should verify visibility into endpoint execution, persistence and network connections associated with RATs and infostealers; identity teams should validate controls around stolen credentials and mailbox abuse; and IR teams should ensure playbooks cover suspected credential theft, unauthorized remote access, and fraudulent payment attempts. Because several related tools are commodity malware, detections should focus on behavior and infrastructure patterns rather than group naming alone.
Likely telemetry
- Email security logs and message metadata for suspicious attachments, links, sender anomalies, and mail protocol abuse
- Endpoint detection telemetry for .NET malware, RAT behavior, credential access indicators, suspicious child processes, and unauthorized remote administration activity
- Network telemetry for outbound HTTP/S, SMTP/POP3/IMAP, FTP/SMB/TFTP, and other application-layer command-and-control or file-transfer patterns
- DNS and proxy logs for unusual external destinations, rare domains, and beacon-like traffic
- Identity and access logs for anomalous sign-ins, MFA events, mailbox access, and credential misuse
Detection direction
- Do not rely on a SilverTerrier-specific alert name; validate coverage for the related malware families and for generic RAT, spyware, infostealer, and BEC-adjacent behaviors.
- Tune detections for command-and-control over common web, file transfer, and mail protocols while accounting for legitimate business use of those same protocols.
- Correlate endpoint indicators with identity events and mailbox activity, because related software includes credential-stealing and remote access capabilities.
- Review false positives from legitimate remote administration tools, developer utilities, file transfer services, and automated mail systems before escalating to incident response.
- Use sector and business-process context: high technology, higher education, and manufacturing organizations should map detections to research, finance, procurement, and production-support systems where fraud or credential theft would be material.
Mitigation priorities
- Strengthen email security and user reporting workflows for suspicious attachments, links, and payment-change requests.
- Enforce MFA and conditional access for email, SaaS, VPN, and remote access services, with rapid revocation procedures for suspected credential theft.
- Maintain endpoint protection and EDR coverage capable of detecting commodity RATs, spyware, infostealers, and unauthorized remote administration behavior.
- Restrict unnecessary outbound file transfer and mail protocols, and monitor allowed protocols for anomalous destinations or usage patterns.
- Implement finance and procurement verification controls for payment changes, invoice redirection, and urgent executive requests.
Analyst notes and limits
This take is based on the official ATT&CK group object, its external references, and the listed uses relationships. The strongest decision value comes from the relationship context: SilverTerrier is associated with commodity malware and financial theft techniques rather than a detailed platform- or tactic-specific group profile in the supplied fields.
MITRE does not provide official detection guidance, platforms, or tactics for the group object itself. Related software and technique platforms should guide defensive validation but should not be treated as complete group platform coverage. Local telemetry, sector exposure, email architecture, identity controls, and financial workflow design are required to determine actual risk and coverage.
SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.003 | Mail Protocols Sub-technique | SilverTerrier uses SMTP for C2 communications.CitationUnit42 SilverTerrier 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SilverTerrier uses HTTP for C2 communications.CitationUnit42 SilverTerrier 2018 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | SilverTerrier uses FTP for C2 communications.CitationUnit42 SilverTerrier 2018 |
| Enterprise | T1657 | Financial Theft | SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.CitationUnit42 SilverTerrier 2018CitationUnit42 SilverTerrier 2016 |
Groups, software, and campaigns
S0336: NanoCore
S0331: Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]
S0198: NETWIRE
S0334: DarkComet
S0447: Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f310a45a5a22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 SilverTerrier 2018
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
Open source URL -
[2]
Unit42 SilverTerrier 2016
Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.
Open source URL -
[3]
SilverTerrier
(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)
-
[4]
mitre-attack G0083Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.