MalwareRansomwareUsed by 1 actor

Silentnight

SilentNight is a malware family referenced in reporting on financially motivated intrusion activity. It is explicitly mentioned as malware deployed by UNC2686 alongside BAZARLOADER variants, TRICKBOT, and URSNIF. Separate reporting also notes that actors shifted to other malware such as DarkGate and SilentNight after disruption of prior access methods, indicating its use as an alternative payload in ransomware intrusion ecosystems. One cited source states that SilentNight was involved in attacks aimed at distributing Ryuk ransomware. Based on the provided content, SilentNight is associated with cybercriminal operations tied to ransomware delivery and post-initial-access intrusion chains, but the content does not provide technical details on its functionality, infection vector, supported platforms, or specific indicators of compromise.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC2686

The threat cluster relies heavily on Remote Monitoring and Management (RMM) tools, unlike UNC2686 which deployed BAZARLOADER variants as well as TRICKBOT, URSNIF, and SILENTNIGHT.

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

TacticInitial Access

“The infection vector has often been to be a phishing email delivering either Emotet or TrickBot… BazarLoader is generally distributed through phishing campaigns.”

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the record mediaNews

Jul 23, 2024

Ransomware ecosystem fragmenting under law enforcement pressure and distrust | The Record from Recorded Future News

Alternative malware referenced as being used for initial access after QakBot disruption.

cert ssi scadaNews

Mar 18, 2026

Trojan sold on Russian-speaking underground forums (since late 2019) observed in phishing-driven campaigns associated with Ryuk distribution; described as a variant of Zloader.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.