{
	"id": "5678e394-3975-474d-9203-ad26620c70e5",
	"created_at": "2026-04-06T00:15:33.839988Z",
	"updated_at": "2026-04-10T13:11:17.98044Z",
	"deleted_at": null,
	"sha1_hash": "a3627bda4101855f35175ed432d7e6d66d7819dd",
	"title": "Silence of the Moles",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2899598,
	"plain_text": "Silence of the Moles\r\nBy Jay Rosenberg\r\nPublished: 2017-11-01 · Archived: 2026-04-05 14:41:17 UTC\r\nKaspersky Labs published a technical analysis of a new malware, Silence that is aimed at attacking financial\r\ninstitutions. After uploading the loader of this malware to Intezer Analyze™, we have found a possible connection\r\nthrough code reuse to the loader of another campaign of malware, Mole previously discovered by Unit 42 of Palo\r\nAlto Networks.\r\nThis connection might be an indicator that these two attacks are originated from the same threat actor, but\r\ncurrently it is too early to tell.\r\n(Intezer Analyze™ public report available here.)\r\nSilence Loader: f24b160e9e9d02b8e31524b8a0b30e7cdc66dd085e24e4c58240e4c4b6ec0ac2\r\nMole Loader: 50117ce3fe5dba572cf23584dc7541a7cfd4026d4316e69d29cdf536873fdf20\r\nIf we look at the code of the two loaders used by both campaigns side by side, we can see that the code is very\r\nsimilar and according to our system is unique to these families of malware.\r\nhttp://www.intezer.com/silenceofthemoles/\r\nPage 1 of 3\n\n(sub_4079A0 vs sub_4023A0)\r\nhttp://www.intezer.com/silenceofthemoles/\r\nPage 2 of 3\n\nThrough the disassembly in the photo above, we can also see there is a string initialized through an array,\r\n“RtpEncodePointer,” that is later used for a call to GetProcAddress. This looks like a typo and the author of the\r\ncode meant to write “RtlEncodePointer” because “RtpEncodePointer” does not exist in ntdll.dll. The evidence\r\nsuggests that this code was being reused. There are no references to “RtpEncodePointer” available publicly online\r\nbesides automated reports of a couple unclassified malware from Hybrid Analysis \r\nIn addition to the links within the code, there are several other similarities we have witnessed between the Mole\r\nand Silence malware, such as the attack vectors (spear phishing, packaging of the malware) and motives — which\r\ncan be extra evidence for this connection.\r\nYet again, we see that identifying code reuse can be very valuable in detecting new malware, and in some cases\r\nfor attribution purposes. We invite you to read more of the posts in our blog and to request an invite to the\r\ncommunity edition of our product.\r\nFollow @jaytezer for more updates.\r\nSource: http://www.intezer.com/silenceofthemoles/\r\nhttp://www.intezer.com/silenceofthemoles/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.intezer.com/silenceofthemoles/"
	],
	"report_names": [
		"silenceofthemoles"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775826677,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3627bda4101855f35175ed432d7e6d66d7819dd.pdf",
		"text": "https://archive.orkl.eu/a3627bda4101855f35175ed432d7e6d66d7819dd.txt",
		"img": "https://archive.orkl.eu/a3627bda4101855f35175ed432d7e6d66d7819dd.jpg"
	}
}