Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. The Silence group is known for its big heists against financial institutions and has begun to shift from phishing as an initial compromise vector. The threat actor is also using a new custom data exfiltration tool called Teleport. Analysis of Silence’s attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group. TrueBot is a first-stage module that can collect basic information and take screenshots. It also exfiltrates Active Directory trust relations information that helps the threat actor plan post-infection activity. In the post-compromise phase, the hackers use TrueBot to drop Cobalt Strike beacons or the Grace malware (FlawedGrace, GraceWire), which has been attributed to the TA505 cybercriminal group. After that, the intruders deploy Teleport, which Cisco describes as a novel custom tool built in C++ that helps hackers steal data stealthily. Group-IB researchers describe Silence hackers as highly skilled, being able to reverse engineer malware to modify it for their purpose or adapt at the assembler instructions level an exploit used by nation-state group Fancy Bear. They are also able to develop their own tools.