{
	"id": "e2f015ee-d9a0-42cc-8319-7550c8c90559",
	"created_at": "2026-04-06T00:17:19.355346Z",
	"updated_at": "2026-04-10T03:20:47.937885Z",
	"deleted_at": null,
	"sha1_hash": "fce2303115ec1b3f6202adc65e492f0ecf7cd802",
	"title": "Croatia government agencies targeted with news SilentTrinity malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 157312,
	"plain_text": "Croatia government agencies targeted with news SilentTrinity\r\nmalware\r\nBy Pierluigi Paganini\r\nPublished: 2019-07-07 · Archived: 2026-04-05 23:10:50 UTC\r\nCroatia government agencies have been targeted by unknown hackers with a new\r\npiece of malware tracked as SilentTrinity.\r\nA mysterious group of hackers carried out a series of cyber attacks against Croatian government agencies,\r\ninfecting employees with a new piece of malware tracked as SilentTrinity. The SilentTrinity malware can take\r\ncontrol over an infected computer, it allows attackers to execute arbitrary commands.\r\nhttps://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html\r\nPage 1 of 3\n\nBetween February and April, allegedly state-sponsored hackers have launched a spear-phishing campaign against\r\ngovernment agencies.\r\nThe attack was discovered by researchers at Positive Technologies while hunting for new and cyber threats, the\r\nattackers used excel weaponized documents.\r\nThe phishing messages posed as delivery notifications from the Croatian postal or other retail services, they\r\nincluded a Microsoft Excel saved in the old .xls format and compiled the previous day.\r\nThe document included a malicious macro that borrows code from various projects hosted on StackOverflow.com,\r\nDummies.com, Issuu.com, Rastamouse.me, or GitHub.com.\r\nOnce the victim has enabled the macro, the malicious code will download and execute the malware on the victim’s\r\nmachine. Experts observed attackers using the Empire backdoor and the SilentTrinity malware.\r\nSearching online for SILENTTRINITY the experts found a reference in the PE file debugging information, the\r\ncode comes for the IronPython project uploaded on GitHub in October 2018 by Marcello Salvati. The experts\r\naimed at combining flexibility with the advantages of a well-known post-exploitation PowerShell framework by\r\nwriting it in Python.\r\n“we will describe the basic mechanism and a few highlights of the implementation.” reads the analysis published\r\nby Positive Technologies.\r\n“Here is what happens after the PE file is run (although the intermediate link does not necessarily have to be a\r\nPE file):\r\nContact is made with the C2 server to download a ZIP archive with necessary dependencies and main\r\nPython script.\r\nThe archive contents are extracted, without being saved to disk.\r\nDependencies are registered for properly handling Python scripts.\r\nThe main Python script runs and waits for a task from the attacker.\r\nEach task is sent as a ready-to-run Python script.\r\nThe task is run on the victim’s system in a separate thread.\r\nThe result is sent back to the C2 server.“\r\nIronPython also supports the Boo language and allows to implement a fileless malware. The C2 traffic is\r\nencrypted with AES, the public key is generated using the Diffie–Hellman protocol, the network transport is\r\nimplemented over HTTP(S) with proxy support.\r\nThe attack against Croatia was also spotted by experts at Information Systems Security Bureau (ZSIS) that issued\r\ntwo alerts about the attacks-\r\n“The Office of Information Security (SIS) has, in its several jurisdictions, observed the most\r\nrecent phishingcampaign most likely to be spread by electronic mail.” reads one of the alerts.\r\n“The page contains the content downloaded from the official Croatian web pages, and immediately after visiting\r\nthe site, the user is offered the download of the notification_o_posiljki.xls file.\r\nhttps://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html\r\nPage 2 of 3\n\nSo far, two versions of the file are known.\r\nThe first version represents the SILENTTRINITY malware that runs in the computer’s memory and\r\ncommunicates with the malicious server at hxxps: //176.105.255.59: 8089 . The malicious program is\r\nretrieved via the SMB protocol.\r\nThe second version represents the Powershell Empire malware that is downloaded from hxxps:\r\n//posteitaliane.live/owa/mail/drafts.srf.“\r\nThe Croatian Post has already taken steps to remove take down the malicious web sites and servers involved in the\r\nattacks.\r\nThe experts attempted to attribute the attacks to other malicious campaigns, the most important evidence collected\r\nthey observed is that reuse of a C2 server involved in the attacks exploiting a WinRAR vulnerability to infect\r\ngovernment targets in Ukraine.\r\nResearchers at FireEye observed four hacking campaigns, including ones that delivered new pieces of malware.\r\nFireEye did not attribute the attack to specific APT, but the choice of targets and TTPs are aligned with Russian\r\nstate-sponsored campaigns.\r\nFurther technical details, including IoCs are reported in the analysis shared by the experts.\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – Croatia, SilentTrinity malware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html\r\nhttps://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html"
	],
	"report_names": [
		"croatia-government-silenttrinity-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fce2303115ec1b3f6202adc65e492f0ecf7cd802.pdf",
		"text": "https://archive.orkl.eu/fce2303115ec1b3f6202adc65e492f0ecf7cd802.txt",
		"img": "https://archive.orkl.eu/fce2303115ec1b3f6202adc65e492f0ecf7cd802.jpg"
	}
}