Threat Actor Profile
High APT
Description

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)

Confidence Score
90%
Known Aliases
Silence Whisper Spider
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (28)
T1113 - Screen Capture
Collection
T1125 - Video Capture
Collection
T1090.002 - External Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1571 - Non-Standard Port
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1218.001 - Compiled HTML File
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1072 - Software Deployment Tools
Execution
T1106 - Native API
Execution
T1204.002 - Malicious File
Execution
T1569.002 - Service Execution
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Silence', 'Whisper Spider'],
 'created': '2019-05-24T17:57:36.491Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Silence](https://attack.mitre.org/groups/G0091) is a '
                'financially motivated threat actor targeting financial '
                'institutions in different countries. The group was first seen '
                'in June 2016. Their main targets reside in Russia, Ukraine, '
                'Belarus, Azerbaijan, Poland and Kazakhstan. They compromised '
                "various banking systems, including the Russian Central Bank's "
                'Automated Workstation Client, ATMs, and card '
                'processing.(Citation: Cyber Forensicator Silence Jan '
                '2019)(Citation: SecureList Silence Nov 2017) ',
 'external_references': [{'external_id': 'G0091',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0091'},
                         {'description': '(Citation: Crowdstrike GTR2020 Mar '
                                         '2020)',
                          'source_name': 'Whisper Spider'},
                         {'description': '(Citation: Cyber Forensicator '
                                         'Silence Jan 2019)(Citation: '
                                         'SecureList Silence Nov 2017) ',
                          'source_name': 'Silence'},
                         {'description': 'Crowdstrike. (2020, March 2). 2020 '
                                         'Global Threat Report. Retrieved '
                                         'December 11, 2020.',
                          'source_name': 'Crowdstrike GTR2020 Mar 2020',
                          'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'},
                         {'description': 'GReAT. (2017, November 1). Silence – '
                                         'a new Trojan attacking financial '
                                         'organizations. Retrieved May 24, '
                                         '2019.',
                          'source_name': 'SecureList Silence Nov 2017',
                          'url': 'https://securelist.com/the-silence/83009/'},
                         {'description': 'Skulkin, O.. (2019, January 20). '
                                         'Silence: Dissecting Malicious CHM '
                                         'Files and Performing Forensic '
                                         'Analysis. Retrieved November 17, '
                                         '2024.',
                          'source_name': 'Cyber Forensicator Silence Jan 2019',
                          'url': 'https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/'}],
 'id': 'intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321',
 'modified': '2024-11-17T18:19:52.955Z',
 'name': 'Silence',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Oleg Skulkin, Group-IB'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.2'}
Quick Actions
Related TTPs (28)
Screen Capture
Collection
Video Capture
Collection
External Proxy
Command and Control
Ingress Tool Transfer
Command and Control
Non-Standard Port
Command and Control
View All 28 TTPs
Back to Threat Actors
Dashboard Home