The sub-techniques beta is now live! Read the release blog post for more info.


Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. [1][2]

ID: G0091
Contributors: Oleg Skulkin, Group-IB
Version: 1.0
Created: 24 May 2019
Last Modified: 16 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Silence has used Windows command-line to run commands.[1][2]

Enterprise T1223 Compiled HTML File

Silence has weaponized CHM files in their phishing campaigns.[1][2]

Enterprise T1106 Execution through API

Silence leverages the Windows API to perform a variety of tasks. [2]

Enterprise T1107 File Deletion

Silence deleted scheduled task files after its execution. [1]

Enterprise T1027 Obfuscated Files or Information

Silence has used environment variable string substitution for obfuscation.[1]

Enterprise T1053 Scheduled Task

Silence has used scheduled tasks to stage its operation.[1]

Enterprise T1113 Screen Capture

Silence can capture victim screen activity. [2]

Enterprise T1064 Scripting

Silence has used JS, VBS, and PowerShell scripts.[1]

Enterprise T1035 Service Execution

Silence has used Winexe to install a service on the remote system.[2]

Enterprise T1193 Spearphishing Attachment

Silence has sent emails with malicious DOCX, CHM and ZIP attachments. [1][2]

Enterprise T1204 User Execution

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[1][2]

Enterprise T1125 Video Capture

Silence has been observed making videos of victims to observe bank employees day to day activities.[2]


ID Name References Techniques
S0191 Winexe [2] Service Execution