G0122: Silent Librarian
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]
Analyst context for executives and security teams
Silent Librarian matters because ATT&CK describes it as targeting research and proprietary data across universities, government agencies, and private sector organizations. The practical risk is not only malware; the related behaviors emphasize identity abuse, password spraying, phishing links, and email collection, which can turn ordinary user accounts and mailboxes into long-lived access to sensitive information.
Executive priority
Treat this as a test of identity, email, and sensitive-data protection readiness. Leaders should ask whether the organization can prove it detects password spraying, compromised valid-account use, suspicious mailbox access, and unauthorized email forwarding rules. For research-heavy, public-sector, academic, or IP-driven environments, this behavior supports prioritizing identity hardening, mailbox auditability, phishing resilience, and incident response playbooks for credential compromise and data exposure.
Technical view
MITRE does not provide an official detection section or explicit platforms/tactics for the group object, so validation should be driven by the linked techniques. SOC and IR teams should map coverage across reconnaissance/resource-development indicators such as lookalike domains, attacker-controlled email accounts, link targets, and public exposure of employee names and email addresses; credential-access behavior such as password spraying; and post-compromise collection through valid accounts, email access, and forwarding rules. Technique scopes include PRE behaviors, Identity Provider/IaaS-style credential abuse, and Office Suite/email collection contexts, but local platform applicability must be confirmed.
Likely telemetry
- Identity provider, SSO, VPN, and cloud authentication logs for failed and successful logons
- Password spraying indicators such as many accounts receiving the same or small set of password attempts
- Mailbox audit logs showing access, search, export, forwarding, and rule creation events
- Email security gateway or mail platform logs for spearphishing messages and clicked links
- DNS, domain registration, certificate transparency, and web proxy evidence for suspicious domains, certificates, and link targets
Detection direction
- Validate correlation between password-spraying attempts and later successful logins to mail, SSO, VPN, or cloud services.
- Alert on new or modified mailbox forwarding rules, especially external forwarding or rules that hide, delete, or redirect messages; tune for legitimate delegation and business forwarding workflows.
- Review successful valid-account use after phishing-link interaction, unusual geography, new device/session patterns, or abnormal mailbox activity.
- Monitor for domains, certificates, and link targets that resemble organization-owned or sector-relevant services, while recognizing that ATT&CK does not provide specific indicators here.
- Account for false positives from academic enrollment cycles, distributed workforces, traveling users, shared research collaborations, and bulk administrative mailbox changes.
Mitigation priorities
- Prioritize phishing-resistant authentication and strong access controls for email, SSO, VPN, and cloud accounts where feasible.
- Harden password-spraying resistance through rate limiting, lockout policies, password hygiene, and monitoring that does not rely only on single-account brute-force thresholds.
- Enable and retain mailbox and identity audit logs long enough to support investigations of credential theft and email collection.
- Restrict or review external email forwarding and require administrative visibility into mailbox rule changes.
- Reduce reconnaissance value by reviewing public exposure of employee names, email addresses, departments, and sensitive research or business relationships.
Analyst notes and limits
The strongest decision value comes from the relationship context: Silent Librarian is associated in ATT&CK with credential-focused access, phishing-for-information, email collection, and preparatory infrastructure/reconnaissance. That makes identity and email telemetry more important than endpoint-only coverage for this object.
The supplied ATT&CK group object has no official detection text, no specified platforms, and no group-level tactics. This summary therefore avoids claiming specific detection coverage, active exploitation, or environment exposure. Organizations must validate applicability against their own identity providers, mail platforms, cloud services, public web presence, and data sensitivity.
Silent Librarian
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588.004 | Digital Certificates Sub-technique | Silent Librarian has obtained free Let's Encrypt SSL certificates for use on their phishing pages.CitationPhish Labs Silent LibrarianCitationSecureworks COBALT DICKENS September 2019 |
| Enterprise | T1594 | Search Victim-Owned Websites | Silent Librarian has searched victim's websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.CitationDOJ Iran Indictments March 2018CitationPhish Labs Silent LibrarianCitationProofpoint TA407 September 2019 |
| Enterprise | T1114 | Email Collection | Silent Librarian has exfiltrated entire mailboxes from compromised accounts.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.CitationDOJ Iran Indictments March 2018CitationPhish Labs Silent LibrarianCitationSecureworks COBALT DICKENS August 2018CitationProofpoint TA407 September 2019CitationSecureworks COBALT DICKENS September 2019CitationMalwarebytes Silent Librarian October 2020 |
| Enterprise | T1589.003 | Employee Names Sub-technique | Silent Librarian has collected lists of names for individuals from targeted organizations.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1608.005 | Link Target Sub-technique | Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.CitationSecureworks COBALT DICKENS September 2019CitationMalwarebytes Silent Librarian October 2020CitationProofpoint TA407 September 2019 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.CitationDOJ Iran Indictments March 2018 |
| Enterprise | T1583.001 | Domains Sub-technique | Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.CitationDOJ Iran Indictments March 2018CitationPhish Labs Silent LibrarianCitationSecureworks COBALT DICKENS August 2018CitationProofpoint TA407 September 2019CitationSecureworks COBALT DICKENS September 2019CitationMalwarebytes Silent Librarian October 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.CitationProofpoint TA407 September 2019CitationSecureworks COBALT DICKENS September 2019 |
| Enterprise | T1078 | Valid Accounts | Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts.CitationDOJ Iran Indictments March 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 602e9bea92b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DOJ Iran Indictments March 2018
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
Open source URL -
[2]
Phish Labs Silent Librarian
Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.
Open source URL -
[3]
Malwarebytes Silent Librarian October 2020
Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
Open source URL -
[4]
COBALT DICKENS
(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020)
-
[5]
Proofpoint TA407 September 2019
Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
Open source URL -
[6]
Secureworks COBALT DICKENS August 2018
Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.
Open source URL -
[7]
Secureworks COBALT DICKENS September 2019
Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.
Open source URL -
[8]
TA407
(Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020)
-
[9]
mitre-attack G0122Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.