{
	"id": "2cf6d560-365a-4236-b490-f99ef5f3268c",
	"created_at": "2026-05-01T03:10:24.572263Z",
	"updated_at": "2026-05-01T03:10:50.679101Z",
	"deleted_at": null,
	"sha1_hash": "aef2dbddf215d7c377d8e5999b5bcaf9a248974c",
	"title": "Silence: Moving into the Darkside",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 367615,
	"plain_text": "Silence: Moving into the Darkside\r\nBy Dmitry Volkov, CEO at Group-IB\r\nArchived: 2026-05-01 02:10:03 UTC\r\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously\r\ntargeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25\r\ncountries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence.\r\nGroup-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current\r\nemployee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\r\nDownload full version of the report Silence: Moving into the Darkside\r\nIn August 2017, the National Bank of Ukraine warned state-owned and private banks across the country about a\r\nlarge-scale phishing attack. The threat actor used an exploit from the arsenal of the state-sponsored hacker group\r\nAPT28. However, the tool, as Group-IB discovered, was modified to target banks. It also appeared that the authors\r\nof the phishing emails had in-depth knowledge of reverse engineering.\r\nAt the time, the National Bank of Ukraine linked the attack with a new wave of NotPetya ransomware outbreak,\r\nbut these were not pro-government hackers. Initial impressions would indicate that the targeted attack was on par\r\nwith the works of Cobalt or MoneyTaker. This hypothesis went unproven. On investigation, the adversaries were a\r\nyoung and active hacker group, who, like young smart technical specialists, learned very fast and from their own\r\nmistakes.\r\nThe new threat actor group was eventually named Silence. They were identified and named first in reports by\r\nAnti-Virus vendors, however, until the publication of this report, no detailed technical analysis of Silence or their\r\noperations has been conducted.\r\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure\r\nthey used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan).\r\nAlthough phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia).\r\nFurthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed\r\nbackdoor. The hackers also used Russian-language web hosting services.\r\nFinancially motivated APT groups which focus efforts on targeted attacks on the financial sector such as —\r\nAnunak, Corkow, Buhtrap — usually managed botnets using developed or modified banking Trojans. Silence is\r\nhttps://www.group-ib.com/blog/silence\r\nPage 1 of 7\n\ndifferent. Even at the beginning of their journey, in the summer of 2016, Silence was not able to hack banking\r\nsystems and actually seemed to learn on the job by carefully analyzing the experiences, tactics and the tools of\r\nother groups. They tried new techniques to steal from banking systems, including AWS CBR (the Russian Central\r\nBank’s Automated Workstation Client), ATMs, and card processing.\r\nFrom circumstancial analysis over two years of attacks, it appears that Silence group members have worked or are\r\ncurrently working in legitimate information security activities. The group has access to non-public malware\r\nsamples, patched Trojans available only to security experts and also TTP changes suggest that they modify their\r\nactivity to mimic new attacks and red teaming activity.\r\nGroup-IB researchers were tracking Silence throughout this period and conducting response following\r\nincidents in the financial sector. During this monitoring period a phishing email was sent to CERT-GIB\r\n(Computer Emegency Response Team of Group-IB). This was analysed and confirmed to be from Silence.\r\nChallenge accepted, Group-IB engaged.\r\nThis report details the results of our investigation, review of attacks and thefts by Silence, analysis of their tools,\r\ntactics and procedures used to target financial institutions. This report serves as a contribution to the Whitehat\r\nSecurity community from Group-IB and provides technical descriptions of the methods and technologies that can\r\nbe used to detect and track this group. We have also included a detailed analysis of the toolset created by Silence\r\nand associated Indicators of Compromise (IoC), YARA and IDS rules.\r\nSilence is a new threat to banks\r\nhttps://www.group-ib.com/blog/silence\r\nPage 2 of 7\n\nGroup-IB detected the first incidents relating to Silence in June 2016. At that time, the cyber criminals were just\r\nbeginning to test their capabilities. One of Silence’s first targets was a Russian bank, when they tried to attack\r\nAWS CBR. After this, the hackers “took a moment of silence”. It was later discovered that this is standard practice\r\nfor Silence. They are selective in their attacks and wait for about three months between incidents, which is\r\napproximately three times longer than other financially motivated APT groups, like MoneyTaker, Anunak\r\n(Carbanak), Buhtrap or Cobalt.\r\nThe reason for this is that Silence is a small group. In years of cyber intelligence and investigations, it is the first\r\ntime that Group-IB has encountered this kind of structure and role-based group. Silence members constantly\r\nanalyze the experience of other criminal groups. They try to apply new techniques and ways of stealing from\r\nvarious banking systems, including AWS CBR, ATMs, and card processing. In a short period of time they studied\r\nnot only direct types of hacking, but also supply-chain attacks. In less than a year, the amount of funds stolen by\r\nSilence has increased five times.\r\nTeam\r\nOur hypothesis is that the Silence team has two clear roles: the Operator and the Developer. Presumably, the\r\nOperator is the group leader. He acts like a penetration tester, who has in-depth knowledge of the tools for\r\nconducting penetration testing on banking systems. This knowledge allows the group to navigate easily inside the\r\nbank. It is the Operator who gains access to protected systems inside the bank and then conducts the theft.\r\nThe Developer is a qualified reverse engineer. His advanced reverse-engineering skills do not prevent him from\r\nmaking mistakes while programming. He is responsible for developing tools for conducting attacks and is also\r\nable to modify complex exploits and third party software. That said, he patched a little known Trojan that had not\r\npreviously been employed by other groups. In addition, the Developer has sufficient knowledge of ATM\r\nprocesses, systems and has access to non-public malware samples, which are usually only available to security\r\ncompanies.\r\nA distinctive feature of Silence is their untypical role structure and small size. It appears, this Russian-speaking group includes only two members.\r\nhttps://www.group-ib.com/blog/silence\r\nPage 3 of 7\n\nLanguage\r\nAs with most financially-motivated APT groups, the members of Silence are Russian speakers, which is evidenced\r\nby the language of commands, priorities in locating leased infrastructure, the choice of Russian-speaking hosting\r\nproviders and location of the targets.\r\nThe commands of Silence’s Trojan are Russian words typed using an English layout:\r\nhtrjyytrn \u003e реконнект (reconnect) htcnfhn \u003e рестарт (restart) ytnpflfybq \u003e нетзадач (notasks)\r\nThe main targets are located in Russia, although phishing emails were sent to bank employees in more than\r\n25 countries of Central and Western Europe, Africa and Asia.\r\nTo rent servers, Silence uses Russian-speaking hosting providers.\r\nSilence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools,\r\ntactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at\r\nsome point active in the security community. Either as penetration testers or reverse engineers. They carefully\r\nstudy the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports.\r\nHowever, it does not save them from making mistakes; they learn as they go. Many of Silence's tools are\r\nlegitimate, others they developed themselves and learn from other gangs. After having studied Silence's attacks,\r\nwe concluded that they are most likely white hats evolving into black hats. The Internet, particularly the\r\nunderground web, favours this kind of transformation; it is now far easier to become a cybercriminal than 5–7\r\nhttps://www.group-ib.com/blog/silence\r\nPage 4 of 7\n\nyears ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated\r\nfor blue teams and much easier for hackers.\r\nGeography and Timeline of attacks\r\nSilence’s successful attacks currently have been limited to the CIS and Eastern European countries. Their main\r\ntargets are located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan.\r\nHowever, some phishing emails were sent to bank employees in more than 25 countries of Central and Western\r\nEurope, Africa and Asia including: Kyrgyzstan, Armenia, Georgia, Serbia, Germany, Latvia, Czech Republic,\r\nRomania, Kenya, Israel, Cyprus, Greece, Turkey, Taiwan, Malaysia, Switzerland, Vietnam, Austria, Uzbekistan,\r\nGreat Britain, Hong Kong, and others.\r\nJuly 2016 — A failed attempt to withdraw money via the Russian system of interbank transactions AWS\r\nCBR. Hackers gained access to the system, but the attack wasn’t successful due to improper preparation of\r\nthe payment order. The bank’s employees suspended the transaction and conducted Incident Response and\r\nremediation using their own resources. This resulted in the subsequent incident described below:\r\nAugust 2016 — Another attempt to attack the same bank. Just one month (!) after their failure with AWS\r\nCBR, Silence regained access to the servers of the bank and attempted another attack. To do this, they\r\ndownloaded software to secretly take screenshots and proceeded to investigate the operator’s work via\r\nvideo stream. This time, the bank asked Group-IB to respond to the incident. The attack was stopped.\r\nHowever, the full log of the incident was unrecoverable, because in an attempt to clean the network, the\r\nbank’s IT team deleted the majority of the attacker’s traces.\r\nOctober 2017 — The first successful theft by the group that we know about. This time, Silence attacked\r\nATMs and stole over $100,000 in just one night. In the same year, they conducted DDoS attacks using the\r\nPerl IRC bot and public IRC chats to control Trojans.\r\nAfter the failed attempt with the interbank transactions system in 2016, the criminals did not try to\r\nwithdraw money using the system, even after gaining access to the servers of AWS CBR.\r\nFebruary 2018 — Successful attack using card processing. They picked up over $550,000 via ATMs of\r\nthe bank’s counterpart.\r\nApril 2018 — In two months, the group returned to their proven method and withdrew funds again through\r\nATMs. During a single night they siphoned about $150,000. This time, the Silence’s tools had been\r\nsignificantly modified: they were not burdened with redundant features and ran stably without bugs.\r\nhttps://www.group-ib.com/blog/silence\r\nPage 5 of 7\n\nhttps://www.group-ib.com/blog/silence\r\nPage 6 of 7\n\nSource: https://www.group-ib.com/blog/silence\r\nhttps://www.group-ib.com/blog/silence\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/silence"
	],
	"report_names": [
		"silence"
	],
	"threat_actors": [],
	"ts_created_at": 1777605024,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aef2dbddf215d7c377d8e5999b5bcaf9a248974c.pdf",
		"text": "https://archive.orkl.eu/aef2dbddf215d7c377d8e5999b5bcaf9a248974c.txt",
		"img": "https://archive.orkl.eu/aef2dbddf215d7c377d8e5999b5bcaf9a248974c.jpg"
	}
}