{
	"id": "b56478d1-c5f0-47d7-b257-5462e01a4af6",
	"created_at": "2026-05-01T03:09:28.115885Z",
	"updated_at": "2026-05-01T03:10:50.726001Z",
	"deleted_at": null,
	"sha1_hash": "6ecf7846b8247bb7e699a6fc63eb39732feeaa4e",
	"title": "Group-IB’s new report on Silence: Damage from Silence APT operations increases fivefold",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120239,
	"plain_text": "Group-IB’s new report on Silence: Damage from Silence APT\r\noperations increases fivefold\r\nArchived: 2026-05-01 02:31:31 UTC\r\nGroup-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has exposed the\r\nmost recent campaigns carried out by Silence, a Russian-speaking APT group, in the new “Silence 2.0: Going\r\nGlobal” report. Group-IB experts discovered that Silence have significantly expanded their geography and\r\nincreased the frequency of their attacks. Additionally, the total confirmed amount of funds stolen by Silence has\r\nincreased fivefold since the publication of Group-IB’s original report, and is now estimated at USD 4.2 million.\r\nGroup-IB’s Threat Intelligence team has also revealed a link between Silence and TA505 group and identified that\r\nSilence has made a number of changes to its TTPs and enhanced its arsenal, as a result of being in the spotlight of\r\nsecurity researchers for some time now. Given that the gang represents a growing threat, both of Group-IB’s\r\nreports on Silence (“Silence: Moving into the darkside” and its sequel, “Silence 2.0: Going Global”) have been\r\nmade publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.\r\nGroup-IB has limited some of the data in the reports that could hinder investigations into the group’s cybercrimes.\r\nSilence going global. Larger geographical scope of attacks\r\nPrior to April 2018, Silence’s target interests were primarily limited to 25 post-Soviet states and neighboring\r\ncountries. Since the report “Silence: Moving into the darkside” was released in September 2018, Group-IB’s\r\nThreat Intelligence team has detected at least 16 new campaigns targeting banks launched by Silence. In 2019\r\nalone, Silence has infected workstations in more than 30 countries across Europe, Latin America, Africa, and Asia.\r\nSince Group-IB’s original report was published, the total confirmed damage has increased more than fivefold,\r\nfrom just USD 800,000 to USD 4.2 million. In July, Group-IB experts reported that Silence was likely to be the\r\nperpetrator behind the brazen attack on Dutch-Bangla Bank, when money mules supposedly connected to Silence\r\nwere caught on CCTV footage withdrawing money from the bank’s ATMs. Other recent successful attacks\r\nattributed to Silence and known to Group-IB’s specialists, were detected in India (August 2018), Russia (February\r\n2019, Russian “IT Bank”), Kyrgyzstan (May 2019), Russia (June 2019), Chile, Ghana, Costa Rica, and Bulgaria\r\n(July 2019). The cybercriminals are particularly drawn to Asia, which is where Silence conducted one of their\r\nbiggest reconnaissance campaigns to date.\r\nWithin the sound of Silence. New tools and techniques uncovered\r\nThe emails you never sent\r\nLike most APTs, Silence uses phishing emails to infect their victims. In October 2018, however, Silence\r\nimplemented new tactics: the gang began sending out reconnaissance emails as part of a preparatory stage for their\r\nattacks. Silence’s “recon” looks like a “mail delivery failed” message that usually contains a link without a\r\nmalicious payload. Such “recon” emails allow cybercriminals to obtain a list of valid emails for future attacks and\r\nget information about the cybersecurity solutions used by a targeted company all the while remaining undetected.\r\nhttps://www.group-ib.com/media/silence-attacks/\r\nPage 1 of 4\n\nGroup-IB’s Threat Intelligence team identified at least three major reconnaissance campaigns. These campaigns\r\nspread across Asia, Europe and post-Soviet countries with more than 170,000 “recon” emails sent. The biggest\r\ncampaign focused on Asia: since November 2018, Silence sent out close to 80,000 emails to organizations in\r\nTaiwan, Malaysia, South Korea, the UAE, Indonesia, Pakistan, Jordan, Saudi Arabia, Singapore, Vietnam, Hong\r\nKong, and China. Another large-scale campaign, which began in October 2018, was carried out in Russia and the\r\npost-Soviet states. Silence’s European “recon” campaign was the smallest: in October 2018, the group sent out\r\nless than 10,000 reconnaissance emails to UK-based financial organizations.\r\nNew tools in the gang’s arsenal\r\nSilence’s global expansion attracted the attention of cybersecurity researchers leading the cybercriminals to grow\r\nmore cautious and introduce changes to their toolset to complicate detection. Notably, at the initial infection stage,\r\nin addition to their infamous primary loader Silence.Downloader (aka TrueBot), the cybercriminals started using\r\nIvoke, a fileless loader, written in PowerShell. Ivoke was detected by Group-IB’s Threat Intelligence team in May\r\n2019, when Silence sent out phishing emails purporting to be from a bank’s client with a request to block a card.\r\nInterestingly, Silence started using fileless tools much later than other APTs. This supports the initial hypothesis\r\nthat Silence have spent their time “catching up”: first studying the approaches of other groups, and then\r\ncustomizing them to their needs.\r\nAnother new tool in Silence’s arsenal is a previously unknown PowerShell agent based on Empire and dnscat2\r\nprojects, dubbed EmpireDNSAgent or simply EDA by Group-IB’s Threat Intelligence team. The Trojan is used\r\nduring the lateral movement stage and is designed to control compromised systems by performing tasks through\r\nthe command shell and tunneling traffic using the DNS protocol. This program was first discovered in March\r\n2019 by Group-IB and was detected during Silence’s most recent attacks on banks in Chile, Bulgaria, Costa Rica\r\nand Ghana. In addition to its custom Atmosphere Trojan, designed to remotely control ATMs, Silence started using\r\nxfs-disp.exe which is also a Trojan deployed during the attack execution stage. The Trojan was allegedly used in\r\nthe attack on the Russian IT Bank in February 2019.\r\nSilence has also changed their encryption alphabets, string encryption, and commands for the bot and the main\r\nmodule. Moreover, the actor has completely rewritten TrueBot loader, the first-stage module, on which the success\r\nof the group’s entire attack depends. Due to ongoing investigations, the new report features the detailed analysis of\r\ntwo of Silence’s recent attacks, as well as descriptions of their TTPs.\r\nAlleged connection between Silence and TA505\r\nGroup-IB researchers believe that there might also be a connection between Silence and TA505, another\r\npresumably Russian-speaking threat actor first named by researchers from Proofpoint. According to media reports,\r\nTA505 recent attacks were targeting individuals working at financial organizations in the US, the United Arab\r\nEmirates, and in Singapore. FlawedAmmyy, a sophisticated RAT that provides full access to infected machines, is\r\nreported to have been used in these TA505 attacks. A comparative analysis of Silence.Downloader and\r\nFlawedAmmyy.Downloader revealed that these programs were developed by the same person a Russian speaker\r\nwho is active on underground forums. That said, the infrastructure used for the FlawedAmmyy attacks differs\r\ngreatly from Silence’s attacks, most likely means that the attacks are not connected.\r\nhttps://www.group-ib.com/media/silence-attacks/\r\nPage 2 of 4\n\nThree years ago, when we started tracking Silence, its members were young and highly motivated hackers taking\r\ntheir first tentative steps in cybercrime by attacking banks and financial organizations in the post-Soviet states and\r\nneighboring countries. Early on, Silence showed signs of immaturity in its TTPs by making mistakes and copying\r\npractices from other groups. Since then, Silence have evolved into one of the most sophisticated threat actors\r\ntargeting the financial sector not only in Russia, but also in Latin America, Europe, Africa, and especially Asia.\r\nSince our original report was released, the confirmed damage from their operations has grown significantly, while\r\nthe geography of Silence’s attacks expanded, and some of their tools and techniques have changed. The growing\r\nthreat posed by Silence and their rapid global expansion, prompted us to make both reports publicly available for\r\nthe very first time in order to help cybersecurity specialists with proper attribution and detection of Silence’s\r\nattacks at early stages all over the world.\r\nRustam Mirkasymov\r\nGroup-IB Head of Dynamic Analysis of malware department and threat intelligence expert\r\nAbout Group-IB\r\nEstablished in 2003, Group-IB is a leading creator of predictive cybersecurity technologies to investigate, prevent,\r\nand fight digital crime globally. Headquartered in Singapore, and with Digital Crime Resistance Centers in the\r\nAmericas, Europe, Middle East and Africa, Central Asia, and the Asia-Pacific, Group-IB delivers predictive,\r\nintelligence-driven defense by analysing and neutralizing regional and country-specific cyber threats via its\r\nUnified Risk Platform, offering unparalleled defense through its industry-leading Cyber Fraud Intelligence\r\nPlatform, Cloud Security Posture Management, Threat Intelligence, Fraud Protection, Digital Risk Protection,\r\nManaged Extended Detection and Response (XDR), Business Email Protection, and External Attack Surface\r\nManagement solutions, catering to government, retail, healthcare, gaming, financial sectors, and beyond. Group-IB collaborates with international law enforcement agencies like INTERPOL, Europol, and AFRIPOL to fortify\r\ncybersecurity worldwide, and has been awarded by advisory agencies including Datos Insights, Gartner, Forrester,\r\nFrost \u0026 Sullivan, and KuppingerCole.\r\nhttps://www.group-ib.com/media/silence-attacks/\r\nPage 3 of 4\n\nFor more information, visit us at www.group-ib.com or connect with us on LinkedIn, X, Facebook, and Instagram.\r\nDiscover our podcasts to hear from leading voices on Masked Actors and Fraud Intel, where top cybersecurity\r\nexperts share real-world experiences, emerging trends, and practical insights to help you stay one step ahead in the\r\nfight against cyber crime.\r\nSource: https://www.group-ib.com/media/silence-attacks/\r\nhttps://www.group-ib.com/media/silence-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/media/silence-attacks/"
	],
	"report_names": [
		"silence-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1777604968,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ecf7846b8247bb7e699a6fc63eb39732feeaa4e.pdf",
		"text": "https://archive.orkl.eu/6ecf7846b8247bb7e699a6fc63eb39732feeaa4e.txt",
		"img": "https://archive.orkl.eu/6ecf7846b8247bb7e699a6fc63eb39732feeaa4e.jpg"
	}
}