{ "id": "3ac5120c-15fa-4463-a27e-6379faa856c1", "created_at": "2026-04-06T00:20:08.884101Z", "updated_at": "2026-04-10T13:12:42.867537Z", "deleted_at": null, "sha1_hash": "c98008b03a7bbcf446705b7e63dff4a2d51a98b8", "title": "TA407 Overview (Mabna Institute, Silent Librarian) US | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1561019, "plain_text": "TA407 Overview (Mabna Institute, Silent Librarian) US |\r\nProofpoint US\r\nBy October 14, 2019 The Proofpoint Threat Insight Team\r\nPublished: 2019-10-10 · Archived: 2026-04-05 14:57:14 UTC\r\nIn our September 5, 2019, Threat Insight post, “Seems Phishy: Back To School Lures Target University Students\r\nand Staff,” we discussed the seasonal uptick of phishing campaigns that are directed at university students and\r\nstaff, usually between June and October of every year. Since our blog post, colleagues at Secureworks have\r\nprovided further details on one actor we highlighted, tracked by Proofpoint as TA407, also known as Silent\r\nLibrarian, Cobalt Dickens, and Mabna Institute. In this blog, we provide additional insight into the actor and their\r\nevolving TTPs in ongoing, academia and university campaigns.\r\nLike many educational phishing attacks, campaigns associated with TA407 are typically not geographically\r\ntargeted, but rather tied to specific universities, with phishing landing pages developed for library and student or\r\nfaculty access portals. While many of the attacks are directed at schools in the United States, Proofpoint\r\nresearchers regularly observe campaigns affecting universities primarily in North America and Europe.\r\nSilent Librarian is a prolific financially motivated actor operating out of Iran. In early 2018, the US Department of\r\nJustice indicted nine members of the cybercrime group for hacking, wire fraud, and identity theft. In particular, the\r\ngroup was cited for “obtain[ing] unauthorized access to computer systems, steal[ing] proprietary data from those\r\nsystems, and sell[ing] that stolen data to Iranian customers, including the Iranian government and Iranian\r\nuniversities.”\r\nThe indictment alleges that between 2013 and 2017, TA407’s activities resulted in the following damages:\r\nApproximately $3.4 billion worth of intellectual property loss due to unauthorized access\r\n31.5 terabytes of academic data and IP theft from compromised universities\r\n7998 university accounts were successfully compromised worldwide\r\n3768 accounts compromised that belonged to professors at US-based universities\r\nVictims of the scheme included:\r\n Approximately 144 universities in the United States\r\n176 foreign universities in 21 countries\r\n Five federal and state government agencies in the United States\r\n 36 private companies in the United States\r\n 11 foreign private companies\r\n Two international non-governmental organizations\r\nThe DOJ indictments, however, have had no appreciable effect on the group’s activities and university email\r\naccount compromises are ongoing, building on the success of previous campaigns.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 1 of 14\n\nMabna Institute Tactics, Techniques, and Procedures\r\nMabna Institute (AKA TA407) primarily targets universities and higher education institutions worldwide with\r\nlow-volume (tens or hundreds of messages), target-specific campaigns. These university phishing campaigns\r\nutilize well-crafted social engineering mechanisms including:\r\nStolen university branding\r\nFake email signatures/credentials/addresses\r\nUniversity-specific email bodies/portal clones\r\nThemed subject lines (e.g., “Renewal of loaned items”, “Renew your loaned items”, “Renewal of\r\nmaterials”, \"Overdue notice on loaned items\", and \"Library Services\")\r\nSince the beginning of 2019, Proofpoint researchers observed several TA407 campaigns distributing phishing\r\nURLs leading to clones of university library login pages. Although TA407 has made minor updates to their social\r\nengineering techniques and infrastructure, their strategies have been overall rather consistent. Many of these\r\ncampaigns use the same lures with minor variations in phrasing.\r\nHistorically, the group has employed the use of a series of phishing origin points, abusing access first at one\r\nuniversity and then another. TA407 makes extensive use of Freenom domains to host credential phishing landing\r\npages; the group then abuses compromised accounts at universities to phish users at other universities,\r\ncompromising additional accounts and spreading from school to school.\r\nProofpoint researchers have observed changes in TA407’s tactics, techniques, and procedures (TTPs), particularly\r\nin their use of URL shorteners, linking, and abuse of legitimate services and infrastructure. While the group does\r\nnot always use URL shorteners, these frequently appear in their mix of linking and redirection techniques.\r\nThe following Freenom domains were observed in use by TA407 in September. A complete list of such domains\r\nused since January appears in the Appendix.\r\natll[.]tk\r\nazll[.]tk\r\ncllt[.]cf\r\ncllt[.]tk\r\nfill[.]cf\r\nitll[.]tk\r\nllit[.]cf\r\nlliz[.]cf\r\nnlll[.]tk\r\nntil[.]cf\r\nsitt[.]cf\r\ntlit[.]cf\r\nttit[.]cf\r\nvisc[.]cf\r\nxill[.]cf\r\nzlll[.]tk\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 2 of 14\n\nFigure 1 illustrates the flow of a typical TA407 campaign. Note the abuse of university-controlled URL shortening\r\nservices and compromised email accounts.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 3 of 14\n\nFigure 1: Typical attack flow of TA407/Silent Librarian\r\nProofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university\r\nunrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL\r\nlinks to a phishing landing page either directly or via one or more third-party sites that eventually lands the user\r\non a clone of a login portal hosted on an actor-controlled server.\r\nThe following illustration depicts the attack flow of the actor’s use of phishing links starting at any of the\r\nredirection phases. Variation between university-based URL shorteners and free shorteners represents one of the\r\nshifting TTPs observed in Silent Librarian’s recent activity.\r\nFigure 2: How TA407 utilizes short URL services in its phishing attack redirections.\r\nOver time, Proofpoint researchers have observed TA407 abuse several short URL services for initial redirection to\r\nphishing landing pages. These have included the now discontinued Google URL shortening service, .ir-based short\r\nURL services, and .edu URL shorteners. We observed apparent experimentation with university-based URL\r\nshorteners prior to the discontinuation of Google’s goo.gl services. Earlier in 2019, after goo.gl was discontinued,\r\nabuse of university URL shortening services appeared to increase and has been observed as recently as September\r\nof 2019.\r\nCampaign Lure Examples\r\nVery little has changed with TA407’s phishing lures in 2019. Most phish lures are themed around library access.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 4 of 14\n\nFigure 3: Example of a library access phish lure from TA407\r\nOver time, Proofpoint researchers have observed slight adjustments in lure verbiage, but most continue to\r\nemphasize loss of library access privileges:\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 5 of 14\n\nFigure 4: Example of how TA407’s lure verbiage has evolved over time\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 6 of 14\n\nFigure 5: Basic lure verbiage by TA407. This style has been used for years.\r\nIn many examples, TA407 uses stolen branding from the university being targeted. In the following example, we\r\nhave redacted the image of the signature block using the school logo that was used in the message body.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 7 of 14\n\nFigure 6: More evolution in attack verbiage from TA407\r\nTA407 has demonstrated awareness of close to real-time changes in authentication portal traits, such as weather\r\nnotification banners, that are sometimes reflected on the landing page clones used in their campaigns. The\r\nawareness manifests in both the lure wording and/or landing page appearance. However, Proofpoint researchers\r\ndo occasionally observe what appears to be an outdated clone of a previous version of their target's portal,\r\nsuggesting either inconsistent updates or coincidental timing of clone updates. \r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 8 of 14\n\nFigure 7: Fake university login portal with spoofed display name, stolen branding, and accurate weather forecast\r\nwarning\r\nConclusion\r\nLast year’s DOJ indictments had no appreciable effect on curtailing the activities of TA407. Campaigns with the\r\napparent intent to compromise user accounts at universities are ongoing with new Freenom domains appearing in\r\nSeptember to host phishing pages. Most notably,\r\nTA407 takes advantage of publicized downtime and weather alerts, among other events, to add credibility\r\nto the phish, increasing the risk for universities and their constituents.\r\nIn its attacks, TA407 uses a series of phishing origin points, abusing access first at one university and then\r\nanother for use against new targets. The group then appears to continue the cycle with a chosen subset of\r\nfreshly compromised accounts.\r\nThe changes in URL shorteners, linking and hosting practices described here make detection of TA407’s\r\nactivities increasingly difficult for defenders and demonstrate the adaptability and innovation that have\r\nenabled this threat actor to drive billions of dollars in losses in terms of intellectual property theft and\r\nresale of stolen journal subscriptions.\r\nProofpoint recommends that universities remain vigilant against these threats to prevent losses and protect\r\nvaluable IP and personal information. Implementing two-factor authentication within publicly exposed systems\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 9 of 14\n\ncan help mitigate overall attack risk and substantially increase the level of effort needed by threat actors to\r\ncompromise university accounts.\r\nAppendix: List of OpenTLD and Freenom domains used by TA407 since January\r\n2019\r\nMonth observed in campaigns Domain\r\nJanuary\r\naill[.]nl\r\ncnen[.]cf\r\neill[.]nl\r\nlibt[.]ga\r\nFebruary\r\naill[.]nl\r\ncnen[.]cf\r\neill[.]nl\r\nlibt[.]ga\r\nMarch\r\naill[.]nl\r\ncnen[.]cf\r\nflil[.]cf\r\nlibt[.]ga\r\nllif[.]cf\r\nllit[.]cf\r\nllli[.]cf\r\nlllt[.]cf\r\nApril cill[.]ml\r\ncnen[.]cf\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 10 of 14\n\ncvve[.]cf\r\neill[.]cf\r\neill[.]ga\r\nflil[.]cf\r\nilll[.]cf\r\nlibdo[.]cf\r\nlibt[.]ga\r\nlllt[.]cf\r\nncce[.]cf\r\nnlib[.]ml\r\nnlll[.]cf\r\nnuec[.]cf\r\nrvna[.]cf\r\nMay\r\nazll[.]cf\r\nclll[.]cf\r\ncvve[.]cf\r\nflll[.]cf\r\nlibn[.]gq\r\nlibt[.]ga\r\nssll[.]cf\r\nJune blibo[.]ga\r\ncvve[.]cf\r\nelll[.]cf\r\neuve[.]tk\r\nflll[.]cf\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 11 of 14\n\njlll[.]cf\r\nlibk[.]ga\r\nlibm[.]ga\r\nlibt[.]ga\r\nlibw[.]gq\r\nlllib[.]cf\r\nmlibo[.]ml\r\nnlll[.]cf\r\nnlll[.]tk\r\ntlll[.]cf\r\nJuly\r\ncvve[.]cf\r\nelll[.]cf\r\nlibb[.]ga\r\nlibf[.]ga\r\nlibk[.]ga\r\nlibt[.]ga\r\nllii[.]xyz\r\nlzll[.]cf\r\nntll[.]cf\r\nntll[.]tk\r\nvenc[.]cf\r\nAugust clll[.]tk\r\ncllt[.]tk\r\nills[.]cf\r\nitll[.]tk\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 12 of 14\n\nliba[.]gq\r\nlibe[.]cf\r\nlibe[.]ga\r\nlibf[.]ga\r\nlibrt[.]ml\r\nlibver[.]ml\r\nllit[.]cf\r\nllli[.]nl\r\nntll[.]tk\r\nstll[.]tk\r\ntlll[.]tk\r\nttll[.]cf\r\nulll[.]tk\r\nvisc[.]cf\r\nvtll[.]cf\r\nSeptember atll[.]tk\r\nazll[.]tk\r\ncllt[.]cf\r\ncllt[.]tk\r\nfill[.]cf\r\nitll[.]tk\r\nllit[.]cf\r\nlliz[.]cf\r\nnlll[.]tk\r\nntil[.]cf\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 13 of 14\n\nsitt[.]cf\r\ntlit[.]cf\r\nttit[.]cf\r\nvisc[.]cf\r\nxill[.]cf\r\nzlll[.]tk\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian" ], "report_names": [ "threat-actor-profile-ta407-silent-librarian" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adc8bb1a-6ded-4b27-8163-8069d5a6d492", "created_at": "2022-10-25T15:50:23.566869Z", "updated_at": "2026-04-10T02:00:05.385876Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Silent Librarian", "TA407", "COBALT DICKENS" ], "source_name": "MITRE:Silent Librarian", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4c0e20f-e199-448e-9056-88bb1cf1c63e", "created_at": "2025-08-07T02:03:24.717633Z", "updated_at": "2026-04-10T02:00:03.630245Z", "deleted_at": null, "main_name": "COBALT DICKENS", "aliases": [ "ITG22 ", "SilentLibrarian ", "TA407 ", "Yellow Nabu " ], "source_name": "Secureworks:COBALT DICKENS", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434808, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c98008b03a7bbcf446705b7e63dff4a2d51a98b8.pdf", "text": "https://archive.orkl.eu/c98008b03a7bbcf446705b7e63dff4a2d51a98b8.txt", "img": "https://archive.orkl.eu/c98008b03a7bbcf446705b7e63dff4a2d51a98b8.jpg" } }