Silent

SILENT is a Malware-as-a-Service operation analyzed by Breakglass Intelligence and branded as "SILENT." It was observed being distributed via pinkiecraft.com, a fake Minecraft client site serving a 57.2 MB ZIP archive containing an NSIS installer named PinkieCraft.exe. The installer deployed a triple-encrypted Electron-based payload set, including an infostealer, a Discord injection component, and a RAT-capable main process. The operation was described as technically capable but operationally sloppy due to exposed React source maps, development leaks, test keys in production, and misconfigured CORS.

The malware’s payloads included crypted.js as the primary infostealer, discord-injection-obf.js as a Discord credential interception module, and main.js as the Electron main process handling command-and-control, persistence, and privilege escalation. The JavaScript payloads were AES-256-CBC encrypted using PBKDF2 with SHA-512 and 100,000 iterations, then obfuscated with JsConfuser after decryption. Bundled modules included sqlite3, @primno/dpapi, ws, and node-telegram-bot-api.

SILENT targets Windows systems and steals browser cookies, saved passwords, autofill data, Discord tokens, browser extension wallet data, Telegram sessions, and gaming-platform-related account data. Targeted browsers included Google Chrome, Microsoft Edge, Brave, Opera Stable, Opera GX, Opera Neon, Vivaldi, Yandex Browser, and Mozilla Firefox. It used Chrome remote debugging hijack techniques by launching browsers with --remote-debugging-port and --headless to extract cookies via the DevTools protocol, and also downloaded Python 3.10 from globalcdn.nuget.org for a secondary cookie extraction method. It targeted wallets and related extensions including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Binance Chain, Atomic Wallet, Authenticator, and Exodus, and exfiltrated the desktop Exodus wallet directory. It also stole Roblox, Steam, TikTok, and Minecraft-related account data, including Steam data via API key 440D7F4D810EF9298D25EDDF37C1F902. Telegram tdata session directories were archived and uploaded to GoFile infrastructure including e1.gofile.io, e2.gofile.io, e5.gofile.io, and e8.gofile.io.

The Discord injection component overwrote discord_desktop_core-*/index.js, restarted Discord, and intercepted login credentials, MFA codes, backup codes, profile changes, payment methods, friend lists, guild data, and QR-code-based remote authentication. It also intercepted Discord payment transactions involving Braintree merchant ID 49pp2rp4phym7387 and Stripe.

For defense evasion and privilege escalation, SILENT attempted six sequential UAC bypass techniques, including fodhelper.exe, eventvwr.exe, SilentCleanup task abuse, exefile runas hijacking, and a VBScript ShellExecute runas method. It added Windows Defender exclusions using PowerShell Add-MpPreference commands and killed Discord, Steam, major browsers, and Minecraft clients to release locks on credential stores.

The backend infrastructure included an admin panel hosted at funnywebsiteviewer.onrender.com with exposed production source maps at /static/js/main.17bcf5b0.js.map, revealing unminified React source code and backend details. The backend URL was hardcoded as https://datanetworksync.onrender.com. The operator login flow used WEEKLY-{32-char-hex} license keys, Telegram bot OTP delivery, and JWT issuance with a 5-minute OTP expiration. Recovered source code contained French-language comments, and backend leaks exposed development details including the path /var/www/new-api-protocol/. Exposed RAT functionality included screenshots, PowerShell execution, system control, file browsing, file download, EXE upload-and-execute, Discord token regeneration, credential re-harvest, alerts, sound playback, and bidirectional chat. Two chat endpoints were reportedly left unauthenticated. During a 92-minute observation window, an unauthenticated /api/health endpoint on the Cloudflare Worker proxy showed active API keys increasing from 75 to 76, indicating ongoing victimization in real time.

Separately from the MaaS operation, "Silent" is also listed in 2025 reporting as a newly identified ransomware group within the fragmented ransomware ecosystem, alongside groups such as Gunra, IMN Crew, Dire Wolf, JGroup, DATACARRY, and SatanLock. The provided content does not establish whether that ransomware-group reference is the same malware family or operator set as the SILENT MaaS infostealer/RAT operation.