G0091: Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
Analyst context for executives and security teams
Silence is an ATT&CK group entry for a financially motivated actor associated with targeting financial institutions and banking systems, including ATMs and card processing environments. For leaders, the value is not just the group name: it highlights a pattern where credential theft, remote access, scripting, lateral movement, tool transfer, and cleanup behaviors can threaten payment operations and banking continuity if monitoring and identity controls are weak.
Executive priority
Prioritize this as a financial-sector resilience and incident-readiness scenario. The ATT&CK relationships point to behaviors that can affect privileged access, remote administration paths, endpoint integrity, and evidence preservation. Executives should ask whether SOC coverage, identity governance, endpoint logging, and incident response playbooks are strong enough around high-value banking, ATM, card-processing, and administrative systems. Because ATT&CK provides no official detection text for this group, local control validation and audit evidence are especially important.
Technical view
Detection and IR teams should validate coverage against the related behaviors rather than relying on the group label. Key ATT&CK-linked areas include LSASS credential access, valid account abuse, RDP use, scheduled tasks, PowerShell, Windows command shell, Visual Basic, JavaScript execution, registry modification, process injection, remote system discovery, ingress tool transfer, external proxy use, file deletion, use of software deployment tools, and use of tools such as Winexe, SDelete, and Empire. The group object has no specified platforms or tactics, so defenders should scope engineering work from the related techniques and their platforms, with particular attention to Windows-heavy administrative and financial operations environments where those related techniques apply.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, scripting engines, scheduled tasks, and suspicious command obfuscation
- Windows security logs and EDR events for LSASS access, process injection indicators, registry modification, and file deletion
- Authentication and identity logs for valid account use, privilege changes, abnormal logon patterns, and RDP sessions
- Remote administration and lateral movement logs, including RDP, Winexe-like remote execution, and software deployment tool activity
- Network telemetry for external proxy behavior, command-and-control-like connections, and tool ingress from external systems
Detection direction
- Build detections around behavior chains: credential access followed by RDP or remote execution, tool transfer, scheduled task creation, registry changes, and cleanup is more meaningful than any single event.
- Tune for administrative false positives because several related items can be legitimate: Winexe-like remote execution, SDelete, software deployment tools, PowerShell, scheduled tasks, and RDP all require baselining of approved operators, systems, and maintenance windows.
- Validate visibility on high-value financial systems and administrative jump paths, not only general workstations. The official description references banking systems, ATMs, and card processing, so coverage gaps around specialized systems may be material.
- Include detections for stealth and evidence-reduction behaviors such as command obfuscation, matching legitimate resource names or locations, process injection, and file deletion.
- Because ATT&CK provides no official detection guidance for Silence, detection engineering should be tested against the mapped techniques and confirmed with local telemetry quality, retention, and response procedures.
Mitigation priorities
- Start with identity controls: reduce standing privilege, enforce strong authentication for remote access where applicable, monitor valid account use, and review privileged access to banking and administrative systems.
- Harden remote administration paths, including RDP and software deployment tooling, with access control, segmentation, logging, and change governance.
- Improve endpoint controls and logging for scripting, scheduled tasks, registry modification, credential access attempts, and suspicious tool execution.
- Restrict and monitor tool transfer paths and outbound connectivity that could support external proxy or command-and-control communications.
- Protect evidence and recovery readiness by monitoring destructive cleanup tools such as SDelete and ensuring incident responders have sufficient log retention and endpoint isolation procedures.
Analyst notes and limits
Silence is listed with aliases Silence and Whisper Spider. The official description identifies it as financially motivated and focused on financial institutions in several countries, with cited compromise of banking systems. The provided relationships supply the practical defensive map: credential access, execution through scripting and native interfaces, lateral movement, remote administration, collection, command-and-control support, and cleanup. Treat these relationships as validation priorities, not proof of current activity in any environment.
The supplied ATT&CK object has no official detection text, no specified platforms or tactics at the group level, and no procedure-level details in the prompt. This take therefore avoids claims about active exploitation, customer exposure, guaranteed detection, or unsupported platforms. Local architecture, telemetry availability, business processes, and financial-system dependencies are required to determine actual risk and coverage.
Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1571 | Non-Standard Port | Silence has used port 444 when sending data about the system from the client to the server.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Silence has used scheduled tasks to stage its operation.CitationCyber Forensicator Silence Jan 2019 |
| Enterprise | T1055 | Process Injection | Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Silence has used |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Silence has used VBS scripts.CitationCyber Forensicator Silence Jan 2019 |
| Enterprise | T1112 | Modify Registry | Silence can create, delete, or modify a specified Registry key or value.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Silence has used RDP for lateral movement.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1125 | Video Capture | Silence has been observed making videos of victims to observe bank employees day to day activities.CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Silence has used JS scripts.CitationCyber Forensicator Silence Jan 2019 |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | Silence has weaponized CHM files in their phishing campaigns.CitationCyber Forensicator Silence Jan 2019CitationSecureList Silence Nov 2017CitationGroup IB Silence Aug 2019CitationGroup IB Silence Sept 2018 |
| Enterprise | T1072 | Software Deployment Tools | Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1113 | Screen Capture | Silence can capture victim screen activity.CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Silence has used environment variable string substitution for obfuscation.CitationCyber Forensicator Silence Jan 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1090.002 | External Proxy Sub-technique | Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).CitationGroup IB Silence Aug 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Silence has downloaded additional modules and malware to victim’s machines.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1078 | Valid Accounts | Silence has used compromised credentials to log on to other systems and escalate privileges.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1018 | Remote System Discovery | Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.CitationGroup IB Silence Sept 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | Silence has used PowerShell to download and execute payloads.CitationCyber Forensicator Silence Jan 2019CitationGroup IB Silence Sept 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.CitationCyber Forensicator Silence Jan 2019CitationGroup IB Silence Sept 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. CitationCyber Forensicator Silence Jan 2019CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Silence has named its backdoor "WINWORD.exe".CitationGroup IB Silence Sept 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.CitationCyber Forensicator Silence Jan 2019CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Silence has used Windows command-line to run commands.CitationCyber Forensicator Silence Jan 2019CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
| Enterprise | T1106 | Native API | Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.CitationSecureList Silence Nov 2017CitationGroup IB Silence Sept 2018 |
Groups, software, and campaigns
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0191: Winexe
S0195: SDelete
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 48bf04c1915c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cyber Forensicator Silence Jan 2019
Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
Open source URL -
[2]
SecureList Silence Nov 2017
GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
Open source URL -
[3]
Crowdstrike GTR2020 Mar 2020
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Open source URL -
[4]
Silence
(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)
-
[5]
Whisper Spider
(Citation: Crowdstrike GTR2020 Mar 2020)
-
[6]
mitre-attack G0091Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.