{ "id": "236e153d-1a71-4c80-a2f3-6a976c21ada2", "created_at": "2026-04-06T00:19:35.092531Z", "updated_at": "2026-04-10T03:35:29.07385Z", "deleted_at": null, "sha1_hash": "20e86ad610a073baa201edef8ced9be742d38f8d", "title": "Silence Group Playbook: Protecting Your Infrastructure | Fortinet Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1398546, "plain_text": "Silence Group Playbook: Protecting Your Infrastructure | Fortinet\r\nBlog\r\nBy FortiGuard SE Team\r\nPublished: 2019-04-15 · Archived: 2026-04-05 18:05:51 UTC\r\nActive since 2016, Silence Group is a cybercriminal organization that targets banks, specifically stealing\r\ninformation used in the payment card industry. There has been ample coverage [1] [2] of this group over the years\r\nthat highlights their TTPs (Techniques, Tactics, and Procedures) [3]. The aim of this playbook is to provide first\r\nresponders with relevant, up-to-date analysis, samples, and indicators of compromise which should help security\r\nprofessionals better protect their infrastructures.  \r\nAdversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as\r\nSilence Group as part of our role in the Cyber Threat Alliance. For more information regarding this series of\r\nadversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook\r\nWhitepaper. \r\nSilence Group Playbook: Overview\r\nThe modus operandi of the Silence Group is simple. It is to make as much money as possible by compromising\r\ntargets, in this case banks, via a spear phishing strategy, which will then lead to exfiltrating financial data as well\r\nas also allow the attackers to “Jackpot” ATMs to withdraw money.\r\nTo achieve these goals, the Silence Group is known to utilize publicly available tools that they repurpose, as well\r\nas use a technique that the cybersecurity industry refers to as “living off the land.” What this essentially means is\r\nthat they attempt to operate as long as possible using the preexisting tools or commands built into the operating\r\nsystem of their target to effectively maximize the time they are able to spend within the target environment. This\r\nstrategy has two benefits: first, using locally available tools helps them better evade detection, and second, it helps\r\nthem establish a deeper and stronger foothold.\r\nHowever, the group does not exclusively rely on publicly available tools. They are also known to write their own\r\nsets of modular, custom tools. As the motivations and various TTPs of their living-off-the-land strategy have been\r\ndocumented previously, this blog will focus on the details of those custom tools developed exclusively by this\r\ngroup.\r\nTechnical Details\r\nLike most attacks, the typical Silence Group threat begins with a spear phishing email with malicious attachments.\r\nThe attachments may be in the form of a weaponized Microsoft Word document or a Microsoft-compiled HTML\r\nhelp (CHM) file sent to banks to entice their users to click on the attachments. These malicious emails generally\r\ncontain infected Word documents or weaponized help files. For example, the following is a help file sent to a user:\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 1 of 9\n\n[1] https://securelist.com/the-silence/83009/\r\n[2] https://www.group-ib.com/blog/silence\r\n[3]  https://reaqta.com/2019/01/silence-group-targeting-russian-banks/\r\nWhile this screenshot may seem innocuous, when a user inadvertently executes the file’s malicious script it\r\ncontacts a server in the background. The script then initiates the second stage of this attack by downloading and\r\nexecuting a file from that server to the user's machine.\r\nThis obfuscated VBS file is then executed within the context of a browser window inside the help files, where it\r\nthen deobfuscates itself and executes a PowerShell command. Unbeknownst to the user, this new PowerShell\r\ncommand calls out to another server to retrieve a binary file, which it then decrypts into a third-stage downloader.\r\nThis last downloader is designed to acquire the actual Silence payload that consists of several different modules,\r\ndepending on which phase of the overall attack the group is currently in. Some modules we describe in the\r\nplaybook include a proxy, a monitoring agent, an ATM module, and the actual main Silence module itself.\r\nDownloader Stage\r\nThe downloader stage of this attack strategy has functionally stayed the same throughout the few years this group\r\nhas been active. For persistence purposes, the registry key the module sets usually tries to mimic a well-known\r\nproduct to avoid detection. The same can be said for the filename it attempts to rename itself. The downloader\r\nitself accepts three distinct commands\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 2 of 9\n\nThe downloader contacts a separate C\u0026C server to get a command. If the command contains the string 'HTTP',\r\nthen this module will parse the command and download the specified file. This new file will also be given a\r\nseemingly benign name, such as “conhost” or “igfxpers_”, with a string appended to it based on the username or a\r\nrandomly-generated GUID value before being executed.\r\nMain Module\r\nThe main module of Silence allows the group to handle the different aspects of their attack.\r\nProxy Module\r\nWhile one set of proxy modules was developed in Delphi, another set was built using the .Net framework. This\r\nlends credence to the theory proposed by Group-IB that the Silence group likes to modify existing tools for their\r\nown purposes. [1]\r\nThe proxy module can be used as a springboard to other networks, or in this case, to dive deeper into the internal\r\nbank network. Looking closer at the .Net proxy modules, for example, one can see that the Smart Assembly\r\nobfuscator was used to try and hide the module's payload.\r\n[1] https://www.group-ib.com/blog/silence\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 3 of 9\n\nFigure 1. Screenshot of Proxy Module\r\nDebugging the module leads to a configuration file being loaded. The connection details can be seen in the\r\nscreenshot above using a password of such as “password”.\r\nMonitor Module\r\nThe monitor module has one function. It gives the authors the capability to spy on the infected machines.\r\nScreenshots are taken and interprocess communications are used to transfer the data to the main module. In this\r\nway, it can function similarly to a video stream.\r\nATM Module\r\nThe crux of this operation revolves around the ATM module, also known as Atmosphere. It makes it possible for\r\nthe authors to remotely cash out ATM machines. Once on an infected computer, this module searches all running\r\nprocesses for a legitimate one called \"atmapp.exe\", which is proprietary ATM software.\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 4 of 9\n\nATM Module\r\nOnce \"atmapp.exe\" is found, the Atmosphere module will take the dll DLL it was storing in its resources and\r\ninject it into the running process. Some of the functionality included in the dll  DLLmay have been based on an\r\nexisting GitHub project (https://github.com/TsudaKageyu/minhook) (to learn more about the open source malware\r\ndevelopment and how adversaries are taking advantage of it, please see our Q4 Threat Landscape Report). Once\r\nthe injection process has been completed, the malicious dll DLL will run in the ATM process space, thereby\r\neffectively gaining control of the ATM, a process known as “Jackpotting.”\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 5 of 9\n\nFigure 3. Strings for ATM module\r\nFrom this point on, threat researchers assume that the authors hire money mules to pick up cash from infected\r\nATMs while moving on to their next target.\r\nGlobal Distribution\r\nDistribution for the various samples used by the Silence Group is not restricted to one current geographical\r\nlocation. As shown in the example below, we can see that distribution includes the following countries (based off\r\nof geo-IP information):\r\nAustralia, Canada, France, Ireland, Latvia, The Netherlands, Poland, Spain, Sweden, and The United States.\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 6 of 9\n\nFigure 4. Geographic distribution of command and control and download sites used by Silence Group\r\nWe have observed samples distributed in various global locations, with a concentration in the EMEA region. One\r\nIP address in France (137.74.224.142) was the primary download site or command and control for over 15\r\nsamples. Another interesting observation is that The Netherlands has had over 10 different unique IP addresses\r\nthat were either used as download sites or as command and control servers.\r\nAn interesting Silence Group correlation\r\nDuring our investigation, we noticed some anomalous behavior with certain IP addresses, specifically Canadian IP\r\naddresses. Although they are different in scope, we decided to see if there was any correlation to known actors,\r\nbulletproof hosts, or web hosts.\r\nDue to time constraints, and to keep the blog succinct, we will not go into too much detail for the purposes of this\r\nplaybook. However, after cursory analysis, a peculiar detail stood out for the following IP addresses:\r\n144.217.14.173 (Montreal, QC, Canada)\r\n158.69.218.119 (Montreal, QC, Canada)\r\n144.217.162.168 (Montreal, QC, Canada\r\nThese addresses were all associated with a single web hosting organization. When we decided to investigate a\r\nlittle further, we discovered additional connections to netblocks from this same web hosting organization in the\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 7 of 9\n\nfollowing countries: Australia, Canada, France, The Netherlands, Spain, and Ireland.\r\nFigure 5. Global sites\r\nRemarkably this list constitutes a whopping 60% of the countries we identified in our initial analysis. Please note,\r\nhowever, that this correlation does not construe or interpret that this organization is in any way involved or even\r\naware of the situation. This is likely either entirely coincidental, the result of Silence Group actors simply being\r\nfamiliar with the publicly available services of a well-known hosting service, or due to the efforts of another bad\r\nactor, such as a bulletproof downstream host that is reselling those services.\r\nAlthough many IP addresses with multiple country connections to this hosting company have been observed, it\r\nremains unclear as to how they are connected to each other, or if this is possibly even simply due to circumstance\r\n(automatic assignment by the web host, etc.)\r\nFor further information regarding the samples used in our research, including indicators of compromise that have\r\nbeen analyzed and mapped according to the specifications of the MITRE ATT\u0026CK framework, please refer to our\r\nlatest playbook on the Silence Group here.\r\nNote: MITRE ATT\u0026CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on\r\nreal-world observations. The ATT\u0026CK knowledge base is used as a foundation for the development of specific\r\nthreat models and methodologies in the private sector, in government, and in the cybersecurity product and service\r\ncommunity.\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 8 of 9\n\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nhttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/silence-group-playbook.html" ], "report_names": [ "silence-group-playbook.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/20e86ad610a073baa201edef8ced9be742d38f8d.pdf", "text": "https://archive.orkl.eu/20e86ad610a073baa201edef8ced9be742d38f8d.txt", "img": "https://archive.orkl.eu/20e86ad610a073baa201edef8ced9be742d38f8d.jpg" } }