basicsecurity.net
Proof, not just disclosure.
Threats / Actors / SilverTerrier
G0083 Unknownour call,
not MITRE’s ATT&CK Group

SilverTerrier

How MITRE ATT&CK characterizes this group1: SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Read this as · tier is our editorial call, not MITRE’s

Motivation not classified from the public record.

We could not place this actor into a coarse motivation tier from ATT&CK’s intrusion-set type and description prose. That uncertainty is itself a finding — the tradecraft below is still cited; the “why” is a coverage gap. All tradecraft below is sourced to MITRE ATT&CK.

4
Techniques
ATT&CK count1
5
Named tools / malware
ATT&CK count2
0
Attributed campaigns
ATT&CK count1
2
Tactics spanned
ATT&CK count1
coverage gap
Activity bounds
no attributed campaign
01

Known for

— signature moves, each sourced to ATT&CK
ArsenalNamed tooling. ATT&CK attributes 5 tools/malware to this group, including NETWIRE, Agent Tesla, DarkComet, NanoCore.7
ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 5 — Lights out — disruption & extortion. (editorial mapping over ATT&CK tactics).
02

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door
2Keys to the kingdom
3Lateral reach
4Data at risk
5Lights out
T1071.001 Web ProtocolsCommand & Control
T1071.002 File Transfer ProtocolsCommand & Control
T1071.003 Mail ProtocolsCommand & Control
T1657 Financial TheftImpact

Reach: this actor’s cited techniques light columns 5 — furthest is 5 · Lights out. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcomeColumn 1 (Front door) is empty — Compare: an internet-facing access broker lights column 1.Column 2 (Keys to kingdom) is empty — Compare: a credential-theft / identity actor lights column 2.Column 3 (Lateral reach) is empty — Compare: a hands-on-keyboard intruder lights column 3.Column 4 (Data at risk) is empty — Compare: an espionage / data-theft actor lights column 4.
Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.1
03

Arsenal

— named tools & malware ATT&CK attributes to this group
NETWIRES0198 · Malware
ATT&CK S0198 ↗
Agent TeslaS0331 · Malware
ATT&CK S0331 ↗
DarkCometS0334 · Malware
ATT&CK S0334 ↗
NanoCoreS0336 · Malware
ATT&CK S0336 ↗
LokibotS0447 · Malware
ATT&CK S0447 ↗
04

Campaign highlights

— attributed operations in the ATT&CK record
?

No attributed campaigns — coverage gap

Stated, not hidden
ATT&CK lists no first-class campaign object for G0083 at this snapshot. Public reporting may tie this actor to operations; those enter only with a named advisory under the same cite-or-die rule.
05

Latest activity

— with explicit confidence, and what we cannot yet claim
ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted
CVE ↔ actor bridge: no confirmed CVE link is established for this group. ATT&CK provides no first-class group→CVE relationship, so this card does not claim specific CVEs as “exploited by this actor” unless a named advisory says so. Absence of a CVE here is a coverage gap, never a clean bill — confirmed links surface as a cited, linked list as the advisory bridge grows.
06

Coverage & confidence

— what we know, and what we don’t

Established (cited)

  • Group identity, aliases, description — MITRE ATT&CK group page
  • 4 techniques — ATT&CK technique pages (linked per row)
  • 5 software (arsenal) — ATT&CK software pages
  • 2 third-party research citations — ATT&CK external references

    • Coverage gaps — stated, not hidden

  • Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.
  • Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.
  • Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.
  • Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.
  • ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.
  • No attributed ATT&CK campaign object — activity bounds cannot be established.
  • Empty heatmap column(s): Front door, Keys to kingdom, Lateral reach, Data at risk — consistent with this actor's nature, stated as a finding.