{ "id": "21f26bfd-7661-49ef-90f6-11259024bd55", "created_at": "2026-04-06T03:36:43.404868Z", "updated_at": "2026-04-10T03:35:29.03389Z", "deleted_at": null, "sha1_hash": "4af58cba40f928ea0bcb7b5e65b15e78ceb6dc9f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44823, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:14:56 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Atmosphere\r\n Tool: Atmosphere\r\nNames Atmosphere\r\nCategory Malware\r\nType ATM malware\r\nDescription\r\n(Group-IB) To control the ATM dispenser, Silence uses a unique software called Atmosphere.\r\nOver time the Trojan has significantly evolved to address the needs of the criminals. For\r\nexample, the developers have changed the logic of injection into processes and added the\r\nflexible injector, which has expanded the list of targeted ATMs. They have also removed the\r\nredundant features that interrupted the operation or were not used by the criminals. For\r\nexample, the last version of the software didn’t process commands from the PIN pad and the\r\ngenerated log got smaller. In the initial stages, the software was recompiled a lot, which\r\nresulted in several unsuccessful cashout attempts.\r\nInformation \u003chttps://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool Atmosphere\r\nChanged Name Country Observed\r\nAPT groups\r\n  Silence, Contract Crew [Unknown] 2016-Aug 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a06e89c3-ca40-496d-a7eb-183f2816ae94\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a06e89c3-ca40-496d-a7eb-183f2816ae94\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a06e89c3-ca40-496d-a7eb-183f2816ae94" ], "report_names": [ "listgroups.cgi?u=a06e89c3-ca40-496d-a7eb-183f2816ae94" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446603, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4af58cba40f928ea0bcb7b5e65b15e78ceb6dc9f.pdf", "text": "https://archive.orkl.eu/4af58cba40f928ea0bcb7b5e65b15e78ceb6dc9f.txt", "img": "https://archive.orkl.eu/4af58cba40f928ea0bcb7b5e65b15e78ceb6dc9f.jpg" } }