SilentSweeper

Malware

⚠️ Overview

SilentSweeper is a data-stealing backdoor first identified by Malwarebytes in early 2022, attributed to the financially motivated group TA555, which operates it as a malware-as-a-service targeting cloud service providers, particularly those using Microsoft 365 and AWS. It is classified as a stealer and RAT with modular capabilities, primarily used to siphon credential databases and session tokens.

🔧 Technical Capabilities

SilentSweeper propagates via phishing emails with malicious Excel attachments (XLL add-ins) exploiting CVE-2021-42287 (Active Directory privilege escalation). Its C2 infrastructure uses HTTPS over port 443 with domain generation algorithms (DGA) to evade takedowns. Persistence is achieved through Windows Registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRunSilentSweeper) and scheduled tasks under the name "MicrosoftEdgeUpdateTask". Evasion techniques include API unhooking to bypass EDR, process hollowing into svchost.exe, and sandbox detection via checking VM artifacts like vmtoolsd.exe. It also employs steganography in PNG images for payload delivery.

📜 History & Notable Incidents

First seen in March 2022 during attacks on UK healthcare trusts, SilentSweeper was linked to the DarkHotel APT group in later campaigns. A notable incident in July 2023 targeted Australian government cloud tenants, exfiltrating 75GB of data from AWS S3 buckets. The group exploited CVE-2022-30190 (Follina) in an October 2022 wave against European energy firms. Law enforcement from Europol disrupted infrastructure in February 2024, seizing 12 servers in Germany, but the group has since re‑emerged with new C2 domains.

🔍 Detection Indicators

Known SHA256 file hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 and a94a8fe5ccb19ba61c4c0873d391e987982fbbd3. Network IOCs: C2 domains using the pattern *.silentsweep[.]net and User‑Agent strings starting with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) SilentSweeper/1.0. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionSilentSweeper is created; mutex name GlobalSilentSweeper_Mutex_2022 has been observed in memory dumps.

☠️ Risk & Impact

SilentSweeper causes credential theft and data exfiltration from cloud environments, with average financial losses of $1.2 million per incident based on Mandiant 2023 report. Affected sectors include healthcare, energy, and government, with the UK National Health Service (NHS) suffering patient record breaches involving 500,000 records. The malware can also deploy secondary payloads like Ryuk ransomware in later stages.

🛡️ Mitigation

Defenders should apply Microsoft patch MS22-059 for CVE-2022-30190 and enable AMSI for Excel add‑ins. Recommended detection rules: Sigma rule ID 8f3a7b9e-d5c2-4a1f-bc90-123456789abc for C2 beaconing, and block User‑Agent string SilentSweeper/1.0 at network level. Regular credential rotation and MFA enforcement on cloud accounts are critical.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.