analyst @ nohacky :~/threat-actors $
cat / threat-actors / silence-group
analyst@nohacky:~/silence-group.html
active threat profile
type Cybercrime
threat_level High
status Active
origin Russia — organized crime
last_updated 2026-03-27
SG
silence-group

Silence Group

also known as: Whisper Spider Silence APT G0091 (MITRE)

A small Russian-speaking crew — assessed to be just two core members, a developer and an operator — that graduated from failed copycat attacks in 2016 to sophisticated global bank heists totaling an estimated $4.2 million by 2019. Group-IB assessed the members are likely former white-hat security professionals who crossed over, given their access to non-public malware samples, their capacity to mimic red-team tradecraft, and their habit of studying other criminal groups' techniques before adapting them. What Silence lacks in scale it compensates for with precision: quiet, long-dwell intrusions into banking infrastructure, followed by carefully timed ATM jackpotting events coordinated through money mule networks.

attributed origin Russia (Russian-speaking)
suspected sponsor None — financially motivated organized crime
first observed June 2016
primary motivation Financial — Bank heists / ATM cashout
primary targets Banks, Card Processing, ATM Networks
confirmed stolen $4.2M+ (est. through 2019)
mitre att&ck group G0091
target regions CIS, Asia, Europe, Africa, Latin America
threat level HIGH

Overview

Silence Group is a Russian-speaking financially motivated cybercrime group that has conducted targeted intrusion campaigns against financial institutions since at least June 2016. The group was first detected by Group-IB's incident response team after a failed attempt in 2016 to withdraw money via the Automated Workstation Client of the Central Bank of Russia (AWS CBR). The attackers made errors in the payment order format, which caused the transaction to be blocked — a misstep characteristic of the group's early learning period. Group-IB, which has published the two most comprehensive open-source analyses of Silence's tradecraft, assessed the group to consist of approximately two core members: one developer responsible for building and maintaining the custom toolset, and one operator who executes intrusions and manages the money withdrawal logistics.

What distinguishes Silence from comparable financially motivated groups is not scale but depth of banking-sector knowledge. Group-IB concluded from circumstantial analysis over two years of observed attacks that at least one member appears to be a former or current employee of a cybersecurity company — likely with a background in penetration testing or reverse engineering. This assessment rests on three indicators: the group's access to non-public malware samples and patched trojans that are typically available only to security researchers; the way their TTPs shift to mimic new attack patterns and red team techniques shortly after public reporting on those techniques appears; and the sophistication of their custom toolset, which was purpose-built for financial infrastructure rather than assembled from commodity components.

In their first operations, Silence used a borrowed backdoor called Kikothac — a clear sign of improvised beginnings. Over the following three years, the group's developer built out a fully custom framework purpose-designed for attacking financial institutions: the Silence framework for infrastructure attacks, the Atmosphere ATM control toolkit, Farse for credential extraction, and Cleaner for log removal. The group's operating model involves long reconnaissance and dwell periods — typically months — followed by a precisely timed cashout window in which money mules withdraw funds from ATM networks simultaneously across multiple locations.

By 2019, Silence had expanded from primarily targeting Russian banks to active operations in more than 30 countries across Europe, Asia, Latin America, and Africa, with confirmed successful attacks in India, Kyrgyzstan, Chile, Bulgaria, Costa Rica, Ghana, and Bangladesh. The 2019 Dutch-Bangla Bank heist — in which coordinated money mules withdrew an estimated $3 million from ATMs across Bangladesh over the course of a single day — represented Silence's largest and highest-profile confirmed operation. Group-IB also documented a connection between Silence and TA505: TrueBot (Silence.Downloader) and TA505's FlawedAmmyy loader were signed with the same digital certificate, and by 2019 Silence had reportedly begun purchasing initial access to targeted banks directly from TA505 rather than running all phishing operations independently.

Target Profile

Silence Group's targeting is almost exclusively confined to financial institutions and the infrastructure directly associated with banking operations. The group shows no interest in data theft, espionage, or disruptive attacks — every intrusion is oriented toward eventual monetary extraction.

  • Regional and Central Banks: The group's earliest known target was the AWS CBR system — the automated workstation used for interbank transfers in Russia's central banking system. Subsequent attacks similarly targeted core banking infrastructure rather than customer-facing systems.
  • ATM Networks: ATM jackpotting is Silence's signature cashout method. The group compromises the systems controlling ATM dispensers, then instructs money mules to stand at specific machines at a designated time to collect cash as it is ejected on command. The 2017 attack confirmed by Group-IB netted $100,000 from ATMs in a single night.
  • Card Processing Systems: From 2018 onward, Silence added card processing attacks as a second cashout vector. By compromising a bank's card processing infrastructure, the group removes transaction limits and enables coordinated ATM withdrawals by money mules using preloaded cards. The February 2018 attack used this method to extract $550,000 via ATMs of a bank's counterpart institution over a single weekend.
  • Banks in Former Soviet States: Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan were the primary targets during the group's first two years of operation, providing a testing ground before international expansion began.
  • Global Financial Institutions: By 2019, Silence had expanded to targets in over 30 countries, with confirmed successful operations in South Asia (India, Bangladesh), Central Asia (Kyrgyzstan), Eastern Europe (Bulgaria), and Latin America (Chile, Costa Rica, Ghana). Reconnaissance emails were sent to banks across Taiwan, Malaysia, South Korea, and other Asian markets from November 2018 onward.

Tactics, Techniques & Procedures

Silence's TTPs reflect a group that systematically studied other criminal actors' methods before building its own toolset. Early campaigns were imitative; later operations showed deliberate adaptation to evade specific detection techniques documented in public threat intelligence reports the group was known to monitor.

mitre id technique description
T1566.001 Spearphishing Attachment Primary initial access method. Lures include macro-enabled Office documents, malicious CHM (Compiled HTML Help) files, and .LNK shortcut files. The group abused the lack of SPF records at some targets to spoof emails from the Central Bank of Russia or from the target's own banking counterparts. A 2019 campaign used a phishing email purporting to be from a bank client requesting a card block.
T1598 Phishing for Information (Recon Emails) From October 2018, Silence began sending "delivery failed" spoofed notification emails containing a link but no malicious payload. The purpose was to harvest lists of active email addresses and identify the security solutions deployed at target organizations, enabling more targeted and credible phishing campaigns. Over 170,000 such recon emails were sent across three campaigns targeting banks in Asia, Europe, and the former Soviet Union.
T1059.001 PowerShell — Fileless Execution Ivoke, a fileless PowerShell loader introduced in May 2019, replaces disk-resident initial-stage malware with in-memory execution, reducing the forensic footprint at initial access. The EmpireDNSAgent (EDA), a PowerShell agent based on the Empire framework and dnscat2 project, tunnels lateral movement traffic over DNS to evade network detection. Both tools were introduced after Silence's previous techniques became more widely detected following Group-IB's 2018 public report.
T1071.004 DNS for C2 Communication EmpireDNSAgent (EDA) controls compromised systems by executing tasks through the command shell and tunneling traffic via DNS protocol. DNS-based C2 is used specifically to evade network monitoring tools that focus on HTTP/S traffic patterns, and to blend malicious traffic with legitimate DNS resolution queries.
T1056.001 Keylogging After establishing persistent access, Silence operators conduct extended reconnaissance of banking workflows — mapping interbank transfer processes, ATM management interfaces, and card processing procedures. Screen recording is a documented technique: video captures of bank employee desktop sessions were used to learn the exact interface flows of target banking systems before the cashout phase.
T1485 Data Destruction (Log Removal) Cleaner is a purpose-built tool for removing forensic evidence from compromised systems following an attack. The group systematically clears logs to complicate incident response and attribution, reflecting the security-professional background of the developer who understands exactly what investigators look for.
T1657 Financial Theft — ATM Jackpotting Atmosphere is a custom ATM control toolkit designed to remotely command ATM cash dispensers. Once deployed on ATM-connected infrastructure, operators instruct money mules by phone to stand at specific machines at a predetermined time. The ATM ejects cash on command while the mule collects it. xfs-disp.exe serves a similar ATM control function and was used in the February 2019 attack on Russia's Omsk IT Bank.
T1543.003 Persistence via Windows Service Silence.MainModule maintains persistent access by executing remote commands covertly and downloading files from the compromised server. The module is designed for long dwell times — compromises of targeted banks were observed to persist for months before the cashout event, allowing full reconnaissance of the payment infrastructure.
T1090 Proxy / Traffic Redirection Silence.ProxyBot executes proxy server tasks and redirects traffic from a hidden node to a backconnect server via a compromised PC, masking the true C2 origin. During the Dutch-Bangla Bank intrusion, C2 communications were traced to an intermediary IP at 103[.]11.138.198 that served as the redirect point.
T1555 Credentials from Password Stores Farse is a purpose-built tool for extracting passwords from compromised systems, enabling lateral movement using legitimate credentials rather than exploits. This is consistent with the group's pattern of using bank employee credentials to access payment infrastructure directly.

Known Campaigns

Confirmed or highly attributed operations based on Group-IB reporting and public incident disclosures.

AWS CBR Failed Attempt 2016

Silence's first detected operation targeted the Automated Workstation Client of the Central Bank of Russia, used for interbank money transfers. The group attempted to submit fraudulent payment orders but made formatting errors that caused the transaction to be blocked. This failure was detected by Group-IB and served as the first confirmed evidence of the group's existence. Despite the failure, it demonstrated that Silence was specifically targeting core banking infrastructure rather than retail banking systems — an approach that required insider-level knowledge of how Russian interbank settlement works.

First ATM Jackpot — Russia 2017

Group-IB confirmed Silence's first successful ATM jackpotting attack, in which the group netted $100,000 from Russian ATMs over a single night using the Atmosphere ATM control toolkit. Money mules were pre-positioned at specific cash machines and received phone-based coordination commands. This operation demonstrated that the group had successfully rebuilt its toolset after the 2016 failure and was now capable of executing the full attack chain from initial access through coordinated cashout.

Card Processing Supply-Chain Attack 2018

Silence compromised a Russian bank's card processing system and modified ATM transaction limits, enabling coordinated withdrawals at ATMs belonging to the bank's counterpart financial institutions. Money mules using preloaded cards extracted approximately $550,000 over a single weekend. A second card processing attack in April 2018 — just two months later — extracted roughly $150,000 using the same scheme, indicating the group was prepared to reuse the attack vector quickly before defenses could be updated.

Global Expansion Phase — India, Kyrgyzstan, Russia 2018–2019

Following Group-IB's September 2018 public report on Silence, the group accelerated international expansion while simultaneously overhauling its toolset to avoid newly published detection signatures. Successful attacks were confirmed in India (August 2018), Russia's Omsk IT Bank (February 2019, using xfs-disp.exe for ATM control), and Kyrgyzstan (May 2019). The group began sending mass reconnaissance emails in October 2018 — distributing more than 170,000 non-malicious probing messages across three campaigns to build updated target lists of active banking email addresses across Asia, Europe, and the former Soviet Union.

Dutch-Bangla Bank ATM Heist — Bangladesh 2019

Silence's highest-profile confirmed operation. On May 31, 2019, coordinated money mules — recorded on CCTV wearing masks and communicating by phone before each withdrawal — extracted at least $3 million from Dutch-Bangla Bank ATMs across Bangladesh. Group-IB traced connections from Dutch-Bangla Bank hosts to a Silence C2 server at 103[.]11.138.198 dating back to at least February 2019, confirming the group had maintained persistent access for approximately four months before executing the cashout. The CCTV footage showing Ukrainian mules receiving phone instructions before each ATM transaction was consistent with Silence's coordinated mule management model. The Atmosphere trojan or xfs-disp.exe is assessed to have been used to dispense cash without leaving malware traces on the ATM hardware itself.

Multi-Country Campaign — Chile, Bulgaria, Costa Rica, Ghana 2019

In July 2019, Group-IB confirmed Silence attacks against banks in Chile, Bulgaria, Costa Rica, and Ghana — representing the group's first confirmed simultaneous multi-continent campaign. The EmpireDNSAgent (EDA) was first observed in this set of attacks, having been developed by Group-IB in March 2019 and deployed in active operations shortly thereafter. The rapid international spread confirmed that Silence had fully transitioned from a Russia-focused operation to a globally operating financial threat actor in the space of approximately 18 months.

Tools & Malware

Silence's custom toolset is purpose-built for financial institution intrusions and reflects the professional security background of the group's developer. All major tools were developed in-house after the initial use of the borrowed Kikothac backdoor was abandoned.

  • TrueBot (Silence.Downloader): The primary first-stage loader. TrueBot collects system information about an infected host and relays it to an intermediate C2 server. It was completely rewritten after Group-IB's September 2018 report made the original version widely detectable. Signed with the same digital certificate as TA505's FlawedAmmyy loader, establishing a developer-level connection between the two groups. TrueBot was subsequently shared with and used by TA505 in Clop ransomware deployment chains.
  • Silence Framework (Silence.MainModule): The group's core infrastructure attack platform. Executes remote commands covertly on compromised systems and downloads additional files from the C2 server. Designed for extended dwell operations inside banking environments, providing persistent operator access during the reconnaissance phase before cashout.
  • Atmosphere: A custom ATM control toolkit enabling remote dispensation of cash from compromised ATM machines. Operators send commands via phone to money mules standing at specific machines. The tool requires no physical access to the ATM hardware once it has been deployed to connected infrastructure, making it particularly difficult to detect in environments where ATM management systems are not closely monitored.
  • xfs-disp.exe: A second ATM control trojan deployed at the execution stage, used as an alternative to Atmosphere. Documented in the February 2019 attack on Russia's Omsk IT Bank. Unlike Atmosphere, this tool leaves less forensic evidence on the ATM dispensing unit itself.
  • Silence.ProxyBot: Handles traffic redirection from hidden nodes to backconnect servers via compromised machines, masking the true origin of C2 traffic. Used during the Dutch-Bangla Bank intrusion to route operator communications through an intermediate relay point.
  • Farse: A credential extraction tool for harvesting passwords from compromised systems. Enables lateral movement using legitimate bank employee credentials, which reduces the need for further exploitation and helps the group blend into normal banking system activity during the reconnaissance phase.
  • Cleaner: A purpose-built log removal tool for post-operation evidence destruction. Reflects the developer's knowledge of exactly which forensic artifacts investigators and incident responders look for, making attribution and reconstruction of the attack timeline more difficult.
  • Ivoke: A fileless PowerShell loader introduced in May 2019 to replace the disk-resident first stage that had become detectable. Executes in memory without writing to disk, reducing the forensic footprint at initial access. Silence was notably late in adopting fileless techniques compared to peer groups — Group-IB assessed this delay as evidence that the group spent time studying other actors' approaches before customizing them.
  • EmpireDNSAgent (EDA): A PowerShell agent based on the Empire post-exploitation framework and the dnscat2 DNS tunneling tool, developed by Group-IB in March 2019. Controls compromised systems through the command shell while tunneling traffic over DNS protocol to evade HTTP/S network monitoring. First observed in Silence's July 2019 attacks on banks in Chile, Bulgaria, Costa Rica, and Ghana.
  • Kikothac: A borrowed backdoor used only in Silence's earliest operations, including the failed 2016 AWS CBR attempt. Abandoned once the group's developer completed the custom Silence framework. Documented only as a starting point that revealed the group had no existing toolset at inception.

Indicators of Compromise

Publicly disclosed IOCs from Group-IB's Silence and Silence 2.0 reports and related incident disclosures. Given the group's pattern of retooling after public disclosure, earlier IOCs from pre-2019 operations should be treated as burned.

warning

Silence is known to actively monitor public threat intelligence reporting and retools its malware and infrastructure following public disclosure. Indicators from Group-IB's 2018 report were fully mitigated in the group's subsequent campaigns. For current IOCs, Group-IB's Threat Intelligence & Attribution platform is the primary source; YARA and Suricata rules are available to TI&A subscribers. MD5 hashes below are from 2019 public disclosures and should be verified against current feeds.

indicators of compromise — selected public disclosures
ip (c2 — dbbl) 103[.]11.138.198 — Silence C2 server, Dutch-Bangla Bank campaign
hash md5 (mainmodule) fd133e977471a76de8a22ccb0d9815b2 — Silence.MainModule
hash md5 (proxybot) 2fe01a04d6beef14555b2cf9a717615c — Silence.ProxyBot
malware family TrueBot / Silence.Downloader — first-stage loader (shared certificate with TA505 FlawedAmmyy)
malware family Atmosphere — custom ATM jackpotting toolkit
malware family xfs-disp.exe — ATM dispenser control trojan
malware family EmpireDNSAgent (EDA) — DNS-tunneled PowerShell C2 agent
delivery type CHM (Compiled HTML Help) files, macro-enabled Office documents, .LNK shortcuts
recon signature Non-malicious "delivery failed" spoofed email — link present, no payload — used for email address harvesting
signing cert SEVA Medical LTD — valid code-signing certificate used to sign phishing attachment (2019 UK campaign)
signing cert note TrueBot and TA505 FlawedAmmyy loader share a common signing certificate — developer-level link between groups

Mitigation & Defense

Recommended controls for financial institutions in Silence's target profile, informed by the group's documented attack chain from initial phishing through ATM cashout.

  • Implement SPF, DKIM, and DMARC on All Banking Domains: Silence exploited the absence of Sender Policy Framework (SPF) records to spoof emails from trusted counterparties, including the Central Bank of Russia. Proper email authentication configuration blocks the impersonation vector that enables initial access at many targeted institutions.
  • Filter and Sandbox CHM File Attachments: CHM (Compiled HTML Help) files are a documented Silence delivery mechanism and are rarely used in legitimate banking email workflows. Email security gateways should be configured to sandbox or block CHM attachments. Similarly, .LNK files and macro-enabled Office documents from external sources should trigger automatic sandboxing.
  • Monitor for DNS Tunneling Patterns: EDA (EmpireDNSAgent) uses DNS protocol for C2 and lateral movement. Deploy DNS monitoring capable of detecting anomalous query volumes, unusual query types (TXT, NULL records), and high-entropy subdomain strings consistent with DNS tunneling. Financial institutions should baseline normal DNS traffic and alert on deviations.
  • ATM Network Segregation and Monitoring: Silence compromises ATM-connected management infrastructure before touching the ATMs themselves. Segment ATM management networks from general corporate networks and implement behavioral monitoring for unusual administrative access to ATM management systems. Monitor for ATM dispenser commands issued outside of normal maintenance windows.
  • Card Processing System Access Controls: Silence's 2018 attacks involved modifying ATM transaction limits via card processing infrastructure. Implement strict role-based access controls on card processing systems, require multi-party authorization for limit changes, and log all administrative actions with out-of-band alerting for limit modifications.
  • Detect Extended Low-Volume Dwell Activity: Silence's attack model depends on months of quiet reconnaissance before cashout. Endpoint detection should be tuned for low-and-slow lateral movement, unusual process execution chains (especially PowerShell in banking environments), and credential access from unusual source machines within the domain.
  • Log Integrity and Monitoring: Cleaner is specifically designed to remove forensic evidence. Implement centralized, append-only log aggregation to a system that compromised endpoints cannot write to or modify. Alerts on log deletion events on any banking infrastructure machine should be treated as a high-priority indicator of active intrusion.
  • TrueBot Detection: TrueBot (Silence.Downloader) is a first-stage loader documented by Group-IB and subsequently shared with TA505, making it a dual-group indicator. YARA signatures for TrueBot are available to Group-IB TI&A subscribers. Behavioral detection should cover C2 beaconing patterns, system enumeration activity at initial execution, and unusual scheduled tasks or services registered within hours of a phishing email being opened.
  • Threat Intelligence Subscription for Financial Sector IOCs: Silence actively monitors public threat intelligence reports and retunes its toolset after disclosure. Subscribing to Group-IB's Threat Intelligence & Attribution platform — which maintains the most detailed Silence-specific IOC and YARA rule set — provides earlier warning of new campaign variants than open-source reporting alone.
analyst note

The relationship between Silence and TA505 is one of the more nuanced in the financial threat landscape. Group-IB documented that TrueBot and TA505's FlawedAmmyy loader share a signing certificate, suggesting at minimum a common developer. By 2019, Silence had also reportedly begun purchasing initial access to banking networks from TA505 rather than running all phishing operations independently — functioning as a downstream consumer of TA505's access brokering services. This means a Silence cashout event may be preceded by TA505-attributed initial access activity, complicating attribution during early incident response. Group-IB designated Silence as part of the "Big Russian Three" financial cybercrime groups alongside Cobalt and MoneyTaker — the only groups confirmed to possess trojans capable of directly controlling ATM dispensers. Silence was also the only group in that cohort confirmed to exclusively execute ATM cashout attacks during the 2018–2019 review period, while Lazarus focused on SWIFT and other groups pursued card processing.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile