{ "id": "9b667398-2455-448e-a6ab-618df9598732", "created_at": "2026-04-06T00:11:00.081851Z", "updated_at": "2026-04-10T03:35:29.068533Z", "deleted_at": null, "sha1_hash": "08df1d402225ff8a2c1cd82cdda64a68e13194b6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44314, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:01:54 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool ProxyBot\r\n Tool: ProxyBot\r\nNames ProxyBot\r\nCategory Malware\r\nType Tunneling\r\nDescription\r\n(Group-IB) To enter standalone segments of a corporate network, Silence downloads the\r\nProxyBot module. The purpose of this software is to redirect, through an infected computer,\r\ntraffic from the external C\u0026C server to the local nodes of the compromised network, which are\r\nnot accessible from outside. We discovered two versions of the program: one in Delphi and\r\none in C#.\r\nInformation \u003chttps://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool ProxyBot\r\nChanged Name Country Observed\r\nAPT groups\r\n  Silence, Contract Crew [Unknown] 2016-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1ae887e-1bc8-41c7-93b1-42632679f84d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1ae887e-1bc8-41c7-93b1-42632679f84d\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1ae887e-1bc8-41c7-93b1-42632679f84d" ], "report_names": [ "listgroups.cgi?u=e1ae887e-1bc8-41c7-93b1-42632679f84d" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08df1d402225ff8a2c1cd82cdda64a68e13194b6.pdf", "text": "https://archive.orkl.eu/08df1d402225ff8a2c1cd82cdda64a68e13194b6.txt", "img": "https://archive.orkl.eu/08df1d402225ff8a2c1cd82cdda64a68e13194b6.jpg" } }