{
	"id": "4c23534c-35a0-4278-81f5-bdb1d9619d2b",
	"created_at": "2026-04-10T03:20:55.542702Z",
	"updated_at": "2026-04-10T13:11:58.845984Z",
	"deleted_at": null,
	"sha1_hash": "28af1f42b6f62a2c8b550f5999061eea92c574c8",
	"title": "Some Notes on the Silence Proxy – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214585,
	"plain_text": "Some Notes on the Silence Proxy – One Night in Norfolk\r\nPublished: 2019-02-06 · Archived: 2026-04-10 02:52:10 UTC\r\nSkip to content\r\nIn August 2018, Group-IB published research (available in translated form here) regarding a financially-motivated\r\ngroup referred to by the community as Silence. Included in this report is the mention of a proxy tool that the group\r\nuses to route traffic to and from devices on an infected network that are normally isolated from the Internet.\r\nAlthough the tool is simple (and in development), it has not yet been well-documented in the public space. This\r\nmay partly be because the tool is relatively rare: Group-IB describes Silence as a small group performing a limited\r\nset of activities. For researchers to obtain a copy, the Silence proxy would have to be deployed post-compromise,\r\nidentified during incident response, and uploaded online. Given the rarity, some notes on the .NET version of this\r\ntool are below as a reference to future analysts.\r\nTechnical Details\r\nFiles examined:\r\n50565c4b80f41d2e7eb989cd24082aab (New)\r\n8191dae4bdeda349bda38fd5791cb66f (Old)\r\nThe Silence proxy is written in .NET and known versions are packed with SmartAssembly. This can be unpacked\r\nautomatically using a tool such as De4Dot to facilitate static analysis; however, this can lead to issues during\r\ndebugging (with a tool such as DnSpy) that prevent the malware from properly executing. In the two known\r\nsamples, the malware’s source code is readable even without this step.\r\nThe Silence proxy performs four basic tasks:\r\n1) The malware reads and parses its configuration\r\n2) The malware enters a switch/case statement based on a configuration value\r\n3) The malware opens a connection to a specified C2, the type of which depends on task 2\r\n4) (Optional) The malware can perform status logging (to a local location that varies by sample)\r\nThe Silence proxy configuration (right click, open in new tab)\r\nhttps://norfolkinfosec.com/some-notes-on-the-silence-proxy/\r\nPage 1 of 3\n\nIn the sample analyzed, the configuration specifies the following:\r\nBackConnectServerIP – C2 server IP\r\nBackConnectServerPort – C2 server port\r\nConfiguredAs – Type of connection (used in the Case/Switch statement)\r\nDomainName – Used for NtlmAuth case\r\nPortToListen – Listening port\r\nProxyIP – Endpoint IP\r\nProxyPort – Endpoint Port\r\nUserName – Used for authentication cases\r\nUserPassword – Used for authentication cases\r\nFrom here, the tool passes the ConfiguredAs value into a Case/Switch statement that determines what type of\r\nconnection to open. This routine is not fully implemented, and thus serves as an excellent example for malware\r\nthat is “under development.” The first image below shows a portion of the Case/Switch statement with several\r\ncases that have not yet been populated with code. The second image below is from a “newer” sample. While there\r\nis still an empty case, the ProxyBackConnector case has been filled in.\r\nOlder sample with ProxyBackConnector not populated\r\nhttps://norfolkinfosec.com/some-notes-on-the-silence-proxy/\r\nPage 2 of 3\n\n“Newer” sample with ProxyBackConnector implemented\r\nIn total, the tool supports (or likely will support) the following cases, which represent the functionality of the\r\nmalware:\r\nSocksServer – Act as a listener for network traffic\r\nDirectBackConnector – Open a connection to a specified IP and accept the response\r\nProxyBackConnector – Open a connection to a specified IP and route the response to another device\r\nProxyBackConnectorWithAuth- Not implemented, likely intended as proxy + regular (non-domain) credentials\r\nProxyBackConnectorWithNtlmAuth – Proxy with an implementation to pass domain credentials\r\nAs mentioned at the start of the post, this is not a complex tool. Despite this, its appearance on the network should\r\nbe cause for concern, as it is indicative of an adversary that is attempting to route traffic to and from a specific\r\nisolated device.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/some-notes-on-the-silence-proxy/\r\nhttps://norfolkinfosec.com/some-notes-on-the-silence-proxy/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://norfolkinfosec.com/some-notes-on-the-silence-proxy/"
	],
	"report_names": [
		"some-notes-on-the-silence-proxy"
	],
	"threat_actors": [],
	"ts_created_at": 1775791255,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28af1f42b6f62a2c8b550f5999061eea92c574c8.pdf",
		"text": "https://archive.orkl.eu/28af1f42b6f62a2c8b550f5999061eea92c574c8.txt",
		"img": "https://archive.orkl.eu/28af1f42b6f62a2c8b550f5999061eea92c574c8.jpg"
	}
}