Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Silence

🌐Silence

🌐 Silence is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 28 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0091) ↗
14Use cases
0Articles
28Techniques
0IOCs

About this actor (MITRE)

[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)

Known aliases

SilenceWhisper Spider

Top techniques

T1003.001 · LSASS MemoryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop Protocol

All other tracked techniques

T1027.010 · Command ObfuscationT1036.005 · Match Legitimate Resource Name or LocationT1053.005 · Scheduled TaskT1055 · Process InjectionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1070.004 · File DeletionT1072 · Software Deployment ToolsT1078 · Valid AccountsT1090.002 · External ProxyT1105 · Ingress Tool TransferT1106 · Native APIT1112 · Modify RegistryT1113 · Screen CaptureT1125 · Video CaptureT1204.002 · Malicious FileT1218.001 · Compiled HTML FileT1547.001 · Registry Run Keys / Startup FolderT1553.002 · Code SigningT1566.001 · Spearphishing AttachmentT1569.002 · Service ExecutionT1571 · Non-Standard PortT1588.002 · Tool

Detection use cases (14)

Silence (Whisper Spider) CHM phishing chain — hh.exe spawning script interpreter AI · profile SΣ Silence post-exploitation — PsExec/Winexec service install on financial workstation hours after phishing AI · profile S 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match