Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

SILENTLOOP

SILENTLOOP is a PowerShell-based malware script used in a CERT-UA-reported campaign attributed to threat cluster UAC-0247 targeting Ukrainian local governments, municipal authorities, clinical hospitals, emergency medical services, and in some cases representatives of Ukraine’s Defense Forces and FPV drone operators. It is used as a persistence component alongside AGINGFLY. High-confidence reporting states that SILENTLOOP can execute commands on infected systems, automatically update its configuration, and retrieve the current or latest command-and-control server IP address from a Telegram channel, with fallback mechanisms for determining the C2 address. The broader intrusion activity used phishing emails themed around humanitarian aid, malicious archives, LNK and HTA execution chains, and in some cases trojanized software delivery via Signal. Within these operations, SILENTLOOP supported maintaining attacker access and C2 resiliency by dynamically obtaining updated server information from Telegram.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAC-0247

Another tool, SilentLoop, can execute commands and retrieve the current address of the attackers’ command-and-control server via a Telegram channel.

via the record mediatherecord.media
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1
TacticInitial Access

The attacks typically began with phishing emails posing as discussions about proposals for humanitarian aid. Victims were asked to follow a link that led to the download of a malicious archive file.

T1566.002Spearphishing LinkEvidence1
TacticInitial Access

Victims were asked to follow a link that led to the download of a malicious archive file.

Execution

3 techniques
T1053Scheduled Task/JobEvidence1
TacticsExecutionPersistencePrivilege Escalation

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

T1059Command and Scripting InterpreterEvidence2
TacticExecution

CERT-UA said AgingFly allows attackers to remotely control an infected computer, enabling them to execute commands... Another tool, SilentLoop, can execute commands...

T1059.001PowerShellEvidence5
TacticExecution

To maintain a persistent foothold, the campaign also uses a PowerShell script named SILENTLOOP, which automatically runs commands, updates its configuration, and retrieves the latest C2 server IP address from a Telegram channel.

Persistence

1 technique
T1053Scheduled Task/JobEvidence1
TacticsExecutionPersistencePrivilege Escalation

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

Privilege Escalation

1 technique
T1053Scheduled Task/JobEvidence1
TacticsExecutionPersistencePrivilege Escalation

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

Discovery

1 technique
T1016System Network Configuration DiscoveryEvidence1
TacticDiscovery

obtain the current IP address of the management server from a Telegram channel, and fall back to alternative mechanisms for determining the command-and-control (C2) address

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

Another tool, SilentLoop, can execute commands and retrieve the current address of the attackers’ command-and-control server via a Telegram channel.

T1071.001Web ProtocolsEvidence1
TacticCommand and Control

Комунікація із сервером управління здійснюється за допомогою вебсокетів...

T1105Ingress Tool TransferEvidence2
TacticCommand and Control

Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP

T1568Dynamic ResolutionEvidence2
TacticCommand and Control

retrieves the latest C2 server IP address from a Telegram channel. If the primary Telegram source fails, SILENTLOOP also supports backup mechanisms to find the C2 address.

INDICATORS OF COMPROMISE

IOCs tracked for this family

38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
20 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
17 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
hash.md5●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyber security newsNews
Apr 16, 2026
New UAC-0247 Campaign Steals Browser and WhatsApp Data From Hospitals and Governments

A PowerShell persistence script that runs commands, updates configuration, and retrieves current C2 IP addresses from a Telegram channel, with backup mechanisms if the primary source fails.

Read more
security affairsNews
Apr 16, 2026
From clinics to government: UAC-0247 expands cyber campaign across Ukraine

A PowerShell-based malware component used to manage commands, update configuration, and retrieve C2 server data via Telegram with fallback mechanisms.

Read more
the hacker newsNews
Apr 16, 2026
UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign

A PowerShell-based backdoor/script with command execution, configuration update, and resilient C2 discovery via Telegram and fallback mechanisms.

Read more
bleeping computerNews
Apr 15, 2026
New AgingFly malware used in attacks on Ukraine govt, hospitals

A PowerShell-based malware component used to execute commands, update configuration, and retrieve C2 server addresses from Telegram or fallback mechanisms.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching38

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.