MalwareUsed by 1 actor

EtterSilent

EtterSilent is the name used for macro-enabled Excel documents delivered in early TA584 email campaigns to facilitate malware installation. Proofpoint describes these documents as an earlier delivery method in TA584 attack chains, prior to the group’s later shift to ClickFix-based social engineering. The infection vector was email-delivered Excel attachments that required victims to enable macros, after which the document could install follow-on malware. High-confidence reporting in the provided content links this delivery chain to TA584, a high-volume email-centric cybercriminal initial access broker targeting organizations globally. One documented March 2021 TA584 campaign used a macro-enabled Excel/EtterSilent chain to deliver Ursnif. The content does not provide standalone technical details, persistence mechanisms, or specific indicators of compromise unique to EtterSilent beyond its use as a macro-enabled Excel installer in TA584 campaigns.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA584

“In early campaigns, TA584 also delivered macro-enabled Excel documents (tracked as EtterSilent)…”

via proofpoint threat insight blogproofpoint.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

“Delivery methods included macro-enabled Excel documents… In early campaigns, TA584 also delivered macro-enabled Excel documents… that, if macros were enabled, would lead to malware installation.”

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Feb 2, 2026

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Macro-enabled Excel-based initial-stage payload used to facilitate installation of subsequent malware in TA584 campaigns.

proofpoint threat insight blogNews

Jan 26, 2026

Can’t stop, won’t stop: TA584 innovates initial access | Proofpoint US

Tracking name for TA584’s macro-enabled Excel document delivery mechanism used in earlier campaigns to lead to malware installation when macros are enabled.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.