{ "id": "d1c8ab5e-5e88-4697-ba83-6f9052c80ef5", "created_at": "2026-04-06T00:08:07.266008Z", "updated_at": "2026-04-10T13:11:47.228696Z", "deleted_at": null, "sha1_hash": "5247e504392915636e99121982fb6e0b69c7f385", "title": "Silence, Contract Crew - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78909, "plain_text": "Silence, Contract Crew - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:41:03 UTC\r\nHome \u003e List all groups \u003e Silence, Contract Crew\r\n APT group: Silence, Contract Crew\r\nNames\r\nSilence (Kaspersky)\r\nContract Crew (iDefense)\r\nWhisper Spider (CrowdStrike)\r\nTEMP.TruthTeller (FireEye)\r\nATK 86 (Thales)\r\nTAG-CR8 (Recorded Future)\r\nG0091 (MITRE)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2016\r\nDescription\r\n(Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal\r\ngroup. While the gang had previously targeted Russian banks, Group-IB experts also\r\nhave discovered evidence of the group’s activity in more than 25 countries\r\nworldwide. Group-IB has published its first detailed report on tactics and tools\r\nemployed by Silence. Group-IB security analysts’ hypothesis is that at least one of\r\nthe gang members appears to be a former or current employee of a cyber security\r\ncompany. The confirmed damage from Silence activity is estimated at 800 000 USD.\r\nSilence is a group of Russian-speaking hackers, based on their commands language,\r\nthe location of infrastructure they used, and the geography of their targets (Russia,\r\nUkraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails\r\nwere also sent to bank employees in Central and Western Europe, Africa, and Asia).\r\nFurthermore, Silence used Russian words typed on an English keyboard layout for\r\nthe commands of the employed backdoor. The hackers also used Russian-language\r\nweb hosting services.\r\nGroup-IB found several relationships between Silence and TA505, Graceful Spider,\r\nGold Evergreen.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9\r\nPage 1 of 3\n\nObserved\nSectors: Financial, Government, Manufacturing, Pharmaceutical.\nCountries: Antigua and Barbuda, Armenia, Australia, Austria, Azerbaijan,\nBangladesh, Belarus, Belgium, Belize, Bulgaria, Canada, Chile, China, Costa Rica,\nCroatia, Cyprus, Czech, Finland, France, Georgia, Germany, Ghana, Gibraltar,\nGreece, Hong Kong, India, Indonesia, Ireland, Israel, Jamaica, Jordan, Kazakhstan,\nKenya, Kyrgyzstan, Latvia, Luxembourg, Malaysia, Mexico, Moldova, Netherlands,\nNorway, Pakistan, Panama, Poland, Romania, Russia, Saudi Arabia, Serbia,\nSeychelles, Singapore, South Korea, Spain, Sri Lanka, Sweden, Switzerland,\nTaiwan, Thailand, Turkey, UAE, UK, Ukraine, USA, Uzbekistan, Vietnam.\nTools used\nAtmosphere, Cleaner, EmpireDNSAgent, Farse, Ivoke, Kikothac, Meterpreter,\nProxyBot, ReconModule, Silence, TinyMet, xfs-disp.exe, Living off the Land.\nOperations performed\nJun 2016\nSilence: Moving into the Darkside\nMay 2018\nSilence 2.0: Going Global\nMay 2019\n‘Silence’ hackers hit banks in Bangladesh, India, Sri Lanka, and\nKyrgyzstan\nThe only incident that is currently public is one impacting Dutch\nBangla Bank Limited, a bank in Bangladesh, which lost more than $3\nmillion during several rounds of ATM cashout attack.\nJan 2020\nNew financially motivated attacks in Western Europe traced to\nRussian-speaking threat actors\nAug 2022\nBreaking the silence - Recent Truebot activity\nInformation\nMITRE ATT\u0026CK https://apt.etda.or.th/cgi-bin/showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9\nPage 2 of 3\n\nPlaybook \u003chttps://www.fortinet.com/blog/threat-research/silence-group-playbook.html\u003e\r\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9" ], "report_names": [ "showcard.cgi?u=743a5e7c-a08f-47e1-861c-8789ea1189f9" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5247e504392915636e99121982fb6e0b69c7f385.pdf", "text": "https://archive.orkl.eu/5247e504392915636e99121982fb6e0b69c7f385.txt", "img": "https://archive.orkl.eu/5247e504392915636e99121982fb6e0b69c7f385.jpg" } }