Threat Actor Profile
High APT
Description

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)

Confidence Score
90%
Known Aliases
Silent Librarian TA407 COBALT DICKENS
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (13)
T1114 - Email Collection
Collection
T1114.003 - Email Forwarding Rule
Collection
T1110.003 - Password Spraying
Credential Access
T1078 - Valid Accounts
Defense Evasion
T1589.002 - Email Addresses
Reconnaissance
T1589.003 - Employee Names
Reconnaissance
T1594 - Search Victim-Owned Websites
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1583.001 - Domains
Resource Development
T1585.002 - Email Accounts
Resource Development
T1588.002 - Tool
Resource Development
T1588.004 - Digital Certificates
Resource Development
T1608.005 - Link Target
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Silent Librarian', 'TA407', 'COBALT DICKENS'],
 'created': '2021-02-03T16:36:38.145Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Silent Librarian](https://attack.mitre.org/groups/G0122) is '
                'a group that has targeted research and proprietary data at '
                'universities, government agencies, and private sector '
                'companies worldwide since at least 2013. Members of  [Silent '
                'Librarian](https://attack.mitre.org/groups/G0122) are known '
                'to have been affiliated with the Iran-based Mabna Institute '
                'which has conducted cyber intrusions at the behest of the '
                'government of Iran, specifically the Islamic Revolutionary '
                'Guard Corps (IRGC).(Citation: DOJ Iran Indictments March '
                '2018)(Citation: Phish Labs Silent Librarian)(Citation: '
                'Malwarebytes Silent Librarian October 2020)',
 'external_references': [{'external_id': 'G0122',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0122'},
                         {'description': '(Citation: Proofpoint TA407 '
                                         'September 2019)(Citation: '
                                         'Malwarebytes Silent Librarian '
                                         'October 2020)',
                          'source_name': 'TA407'},
                         {'description': '(Citation: Secureworks COBALT '
                                         'DICKENS August 2018)(Citation: '
                                         'Secureworks COBALT DICKENS September '
                                         '2019)(Citation: Proofpoint TA407 '
                                         'September 2019)(Citation: '
                                         'Malwarebytes Silent Librarian '
                                         'October 2020)',
                          'source_name': 'COBALT DICKENS'},
                         {'description': 'DOJ. (2018, March 23). U.S. v. '
                                         'Rafatnejad et al . Retrieved '
                                         'February 3, 2021.',
                          'source_name': 'DOJ Iran Indictments March 2018',
                          'url': 'https://www.justice.gov/usao-sdny/press-release/file/1045781/download'},
                         {'description': 'Hassold, Crane. (2018, March 26). '
                                         'Silent Librarian: More to the Story '
                                         'of the Iranian Mabna Institute '
                                         'Indictment. Retrieved February 3, '
                                         '2021.',
                          'source_name': 'Phish Labs Silent Librarian',
                          'url': 'https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment'},
                         {'description': 'Malwarebytes Threat Intelligence '
                                         'Team. (2020, October 14). Silent '
                                         'Librarian APT right on schedule for '
                                         '20/21 academic year. Retrieved '
                                         'February 3, 2021.',
                          'source_name': 'Malwarebytes Silent Librarian '
                                         'October 2020',
                          'url': 'https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/'},
                         {'description': 'Proofpoint Threat Insight Team. '
                                         '(2019, September 5). Threat Actor '
                                         'Profile: TA407, the Silent '
                                         'Librarian. Retrieved February 3, '
                                         '2021.',
                          'source_name': 'Proofpoint TA407 September 2019',
                          'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2018, August 24). Back to School: '
                                         'COBALT DICKENS Targets Universities. '
                                         'Retrieved February 3, 2021.',
                          'source_name': 'Secureworks COBALT DICKENS August '
                                         '2018',
                          'url': 'https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2019, September 11). COBALT DICKENS '
                                         'Goes Back to School…Again. Retrieved '
                                         'February 3, 2021.',
                          'source_name': 'Secureworks COBALT DICKENS September '
                                         '2019',
                          'url': 'https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again'}],
 'id': 'intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384',
 'modified': '2025-04-25T14:49:29.613Z',
 'name': 'Silent Librarian',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (13)
Email Collection
Collection
Email Forwarding Rule
Collection
Password Spraying
Credential Access
Valid Accounts
Defense Evasion
Email Addresses
Reconnaissance
View All 13 TTPs
Back to Threat Actors
Dashboard Home