{ "id": "94c9fd26-beca-4f05-b9ae-885ea3855314", "created_at": "2026-04-06T00:06:31.07204Z", "updated_at": "2026-04-10T03:35:29.02948Z", "deleted_at": null, "sha1_hash": "461f427a1eb0d0c558bc2ad4f8f625a0bf0b6be7", "title": "How the Silence Downloader Has Evolved Over Time – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1302578, "plain_text": "How the Silence Downloader Has Evolved Over Time – One Night\r\nin Norfolk\r\nPublished: 2019-02-11 · Archived: 2026-04-02 10:44:04 UTC\r\nIn a previous post this blog briefly compared two versions of the Silence group’s proxy malware, a post-intrusion\r\ntool used to relay network traffic between a C2 endpoint and a non-internet facing device. This post examines\r\nthree versions of the group’s downloader and documents how it has changed over the last eighteen months. While\r\nsome characteristics have persisted, several notable functions have been removed, added, or modified in newer\r\nversions of this tool.\r\nTracking such changes helps analysts determine whether or not a newly discovered sample (on the network or in\r\nan online repository) is truly new; in the event that the sample is older and forensic data is missing, it can help\r\napproximate when the sample might have been deployed.\r\nOctober 2017\r\nMD5: 404D69C8B74D375522B9AFE90072A1F4\r\nSHA1: 197d8bc245ba8b67ebf9a108d6707011fe8158f9\r\nSHA256: f24b160e9e9d02b8e31524b8a0b30e7cdc66dd085e24e4c58240e4c4b6ec0ac2\r\nThis Silence downloader was first publicly described at a high level in a Kaspersky Securelist post in October\r\n2017. The downloader calls out to a C2, and the response allows it to:\r\n– Create an auto-start persistence entry in the registry (HKCU CurrentVersion\\Run) for a copy of itself (“fal”)\r\n– Obtain an additional payload, save this payload to disk, and execute it (“|http”)\r\n– Delete itself (“DEL”)\r\nAs this malware serves as a simple, early-stage tool, these tasks (and their underlying mechanisms) have gone\r\nlargely unexamined in the public space; however, there are several distinct characteristics regarding how the\r\nearlier versions of the malware accomplish this workflow. The figure below shows the malware’s logic flow prior\r\nto taking one of the actions above:\r\nhttps://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nPage 1 of 5\n\nOctober 2017 Silence downloader logic flow\r\nRather than comparing the bytes (or their corresponding strings) as a whole, the malware performs a byte-by-byte\r\ncheck of the action, jumping over the remainder of the comparisons should a byte not match. If no task is\r\nidentified, the malware sleeps and attempts to retrieve a task from the C2 a second time. The figure below shows\r\nthe functions called following a successful parsing of the “|http” or “DEL” actions.\r\nDEL and |http functions from the October 2017 Silence downloader\r\nNovember 2018 Sample\r\nLate last month, Reaqta published research that included details of a late-2018 version of the Silence downloader.\r\nAt a high level, the downloader includes a key addition: the downloader executes a series of command-line\r\nqueries to obtain information about the infected device. This information is stored locally in the user’s\r\nProgramData folder in a file named “INFOCONTENT.TXT” and uploaded to the C2 server. Interestingly, a\r\nhandful of the command-line commands are initially obfuscated, though several others remain in clear text.\r\nhttps://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nPage 2 of 5\n\nCommand-line information collection\r\nWhile this is a key addition on its own, the author(s) of the tool also made two notable changes to the tasking\r\nworkflow:\r\n– The “fal” action used to create persistence has been removed. The tool now takes this step without prompting.\r\n– The “|http” action still exists; however, it is no longer initiated by a byte-by-byte comparison. Instead, the\r\nauthors opted to use the StrStrA function to determine if “http” is in the task string.\r\nCuriously, the authors did not change the “DEL” task initiation to align with the change to “|http.” It still uses the\r\nsame single-byte comparison and jump. It’s possible that the authors were either testing the new mechanism first\r\nor hadn’t yet had time to change both functions.\r\nNovember 2018 sample. Left: “DEL” single-letter comparisons remain intact. Right: “|http”\r\ncomparison replaced with StrStrA call.\r\nAlthough the mechanism for calling the persistence routines changed between versions, the routines themselves\r\nare largely consistent:\r\nhttps://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nPage 3 of 5\n\nLeft: 2017 persistence routine. Right: November 2018 persistence routine.\r\nLate 2018/Early 2019 Samples\r\nMD5: e2e1035f382c397d64303e345876a9db\r\nSHA1: c572ba3fcd991fd29919d171b8445dbb5277a51d\r\nSHA256: 4ea01c831c24b70b75bcdf9b33ad9c69e097cbadafd30599555a43a1f412455d\r\nC2: 185.244.131[.]68\r\nPivoting through VirusTotal using the string “%s\\%08x%08x.tmp” from the previous sample leads to a new set of\r\nupdated downloaders from this threat actor. These more recent samples contain significant changes, including:\r\n– A revised mechanism for establishing the registry-based persistence mechanism\r\n– An alternate persistence mechanism using depending on the detected operating system\r\n– An antivirus check to facilitate this check\r\n– The ability to execute a payload OR register a DLL\r\nThe screenshot below depicts the version check alongside the AV check. Notably, the authors implemented an AV\r\ncheck that calls CreateToolhelp32Snapshot, Process32First, and Process32 next for each string, rather than calling\r\neach of these up front and then performing the string comparison.\r\nAV and Operating System Checks\r\nhttps://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nPage 4 of 5\n\nDepending on the results of the OS detection and the AV check, the malware can create a registry entry for\r\npersistence or create a scheduled task. Unlike the previous versions, the registry entry is not created through API\r\ncalls; instead, the malware decodes and executes a command line string:\r\n“/C REG ADD “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” /v “Windows System DLL”\r\nAlternatively, in this particular sample, the malware can create a scheduled task named “Avi Capture.”\r\nFinally, this version features an updated version of the C2 mechanism. The malware now uses a different set of\r\nAPIs (Winsock) to contact the C2 and receive a response. The downloader can both register a DLL or launch an\r\nexecutable file in this version. True to the previous two versions, this workflow is initiated by a byte-by-byte\r\ncheck for “MZ” (a PE header) in the file.\r\nWorkflow for DLL vs EXE execution in Late 2018/Early 2019 Silence Downloader\r\nConcluding Thoughts\r\nTracking how a malware family changes over time helps categorize how “new” a newly uploaded or discovered\r\nsample really is. While compilation timestamps can be spoofed, a threat actor is unlikely to revert to a previous\r\nversion of a tool, particularly if it contains errors or lacks required features.\r\nIn the Silence downloader, it is apparent that the threat actors have taken an interest in collecting a larger set of\r\ninitial information (including operating system data). In addition, the threat actors have also taken several\r\nmeasures to evade or bypass AV detection, including basic process checking and string obfuscation.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nhttps://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/" ], "report_names": [ "how-the-silence-downloader-has-evolved-over-time" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433991, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/461f427a1eb0d0c558bc2ad4f8f625a0bf0b6be7.pdf", "text": "https://archive.orkl.eu/461f427a1eb0d0c558bc2ad4f8f625a0bf0b6be7.txt", "img": "https://archive.orkl.eu/461f427a1eb0d0c558bc2ad4f8f625a0bf0b6be7.jpg" } }