Silence (G0091): A Persistent Financial Threat to Global Banking
- Suspected Origin
- Russia/Eastern Europe
- Motivation
- Financial Gain
- Aliases
- Whisper Spider
- Target Sectors
- Financial
- Associated Malware
- TrueBot, Atmosphere, ProxyBot, Farse6.1, Empire, PsExec, RAdmin, Nmap, Winexe, Meterpreter, TinyMet
Overview
Silence, tracked as G0091 by MITRE ATT&CK and also known by its alias Whisper Spider, is a persistent and highly effective financially motivated threat actor. Active since at least June 2016, this group primarily targets financial institutions, with a focus on stealing cash directly from banking systems. Initial operations concentrated on Russia and Eastern European countries, but the group has demonstrably expanded its targeting to include banks in Central and Western Europe, Africa, and Asia, making it a truly global threat. Intelligence suggests the group is Russian-speaking, an attribution supported by the language used in their backdoor commands (Russian words typed on an English keyboard layout), their infrastructure choices, and the historical geographic focus of their attacks. A particularly intriguing hypothesis posits that at least one member of Silence may have a background in the cybersecurity industry, which could explain their sophisticated tradecraft and adaptability. The confirmed financial damage linked to Silence’s activities has been significant, initially estimated around $800,000, but later surging to over $4 million by late 2019 as their operations became more widespread and successful.
Tactics & Techniques
Silence employs a methodical approach to infiltrate and compromise financial networks, leveraging a blend of custom malware and legitimate tools. Their initial access almost exclusively relies on highly crafted spearphishing campaigns. These emails are often weaponized with malicious attachments in DOCX, CHM, LNK, and ZIP formats, designed to exploit known vulnerabilities like CVE-2017-0199, CVE-2017-0262, CVE-2017-11882, CVE-2018-0802, and CVE-2018-8174. A notable evolution in their initial access tactics, observed since October 2018, involves sending preliminary, malware-free reconnaissance emails. These are used to test email validity and gather information on the target’s antivirus solutions before launching the actual malicious payload.
Once a foothold is established, Silence exhibits strong capabilities in various stages of the attack lifecycle. For execution, they commonly utilize PowerShell, JavaScript, and VBS scripts, often invoking Windows API functions such as CreateProcess() or ShellExecute(). Persistence is a critical component of their operations, frequently achieved through the creation of scheduled tasks and modifications to registry run keys or startup folders.
To escalate privileges and facilitate lateral movement, Silence relies heavily on compromised credentials. They are known to use a custom tool, Farse6.1 (a variant of Mimikatz), to extract credentials from lsass.exe processes. Lateral movement across the network is typically performed using Remote Desktop Protocol (RDP) and by deploying tools like Winexe to install services on remote systems. Network discovery is often performed using Nmap to map the corporate network topology and identify vulnerable hosts.
Defense evasion techniques are sophisticated and include obfuscating malware code and using environment variable string substitution. They have also been observed signing their primary loader, Silence.Downloader (TrueBot), with valid certificates to appear legitimate. Data collection from compromised systems includes capturing screen activity and gathering extensive information about the infected computer, running processes, network parameters, connections, and user accounts. For command and control (C2), they leverage non-standard ports, specifically port 444, for data exfiltration and employ custom proxies like ProxyBot to redirect traffic. After successful operations, they use Windows scheduler tasks to delete files and cover their tracks.
Notable Campaigns
Silence’s operational history began with less successful attempts, such as a failed effort to withdraw money via the Russian Central Bank’s Automated Workstation Client (AWS CBR) in July 2016. However, they quickly refined their techniques, achieving their first successful cyber-heist in October 2017. This incident involved targeting a bank’s ATM control systems to execute “jackpotting” attacks, where ATMs are commanded to dispense cash, resulting in a theft exceeding $100,000.
The group gained significant notoriety for its sustained and impactful campaigns against financial institutions. By 2019, the total confirmed financial losses attributed to Silence surged from an initial $800,000 to approximately $4.2 million, underscoring their increasing effectiveness and the expansion of their operations. A particularly high-profile incident involved the Dutch-Bangla Bank in Bangladesh, from which Silence stole over $3 million through multiple ATM cash-out attacks.
Intelligence reporting has also suggested a potential operational overlap or cooperation between Silence and another prominent threat group, TA505. This observation stems from the use of similar tools in some of Silence’s attacks, indicating a dynamic and possibly collaborative threat landscape.
Associated Malware & Tools
Silence has developed and deployed a range of custom malware, alongside modified and legitimate publicly available tools, to facilitate their attacks. Key custom malware families include:
- Silence.Downloader (aka TrueBot): This is a primary loader with botnet and injector capabilities, often signed with valid certificates to bypass defenses. TrueBot is versatile, capable of adding victim devices to a botnet and facilitating the download and installation of additional malicious components.
- Atmosphere: A custom malware used specifically in ATM money-dispensing attacks.
- ProxyBot: A module that allows attackers to redirect network traffic from a compromised host to their command and control infrastructure via Socks4/Socks5 proxies.
- Farse6.1: A variant of the credential dumping tool Mimikatz, specialized for extracting sensitive login information from the lsass.exe process.
- Ivoke, Kikothac, Cleaner, ReconModule, xfs-disp.exe: Other specialized malware components identified in their arsenal.
- WINWORD.exe: A backdoor that masquerades as a legitimate Microsoft Word process.
Beyond their custom creations, Silence skillfully incorporates legitimate tools and frameworks into their operations to blend in with normal network activity, a tactic often referred to as “living off the land”. These include:
- Empire: A post-exploitation framework.
- PsExec: For executing processes on remote systems.
- RAdmin: A legitimate remote administration tool abused for remote control of workstations and ATMs.
- Nmap: For network scanning and reconnaissance.
- Winexe: For installing services on remote computers.
- Meterpreter and TinyMet: Components often associated with the Metasploit Framework, used for advanced payload delivery and post-exploitation.
Current Status
Silence remains an active and evolving threat to the global financial sector. Despite their first appearance dating back to 2016, ongoing threat intelligence updates from various security vendors into 2026 continue to monitor and profile their activities. While specific incidents since the publicly reported $4.2 million in losses by 2019 are not detailed in readily available public summaries, the consistent inclusion in active threat actor databases and the descriptive language used (e.g., “is a financially motivated threat actor targeting financial institutions”) indicates that Silence is still operational and poses a significant risk. Organizations within the financial sector, particularly those in Eastern Europe, Central Asia, and increasingly worldwide, should maintain heightened vigilance against the sophisticated tactics and evolving toolset of the Silence group. Continuous monitoring and robust defensive strategies are essential to mitigate the threat posed by this persistent and adaptable adversary.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call