Sliver
Sliver is an open-source, cross-platform adversary emulation and post-exploitation command-and-control framework that is legitimately used for red teaming but is also widely abused by threat actors as an alternative to Cobalt Strike. The provided content describes Sliver as capable of generating dynamic payloads or implants for Windows, macOS, and Linux, supporting command-and-control over application-layer protocols, using mutual TLS and RSA cryptography for session key exchange, and encoding C2 traffic with techniques such as gzip and hex-to-ASCII. Reported capabilities in the content include periodic beaconing to retrieve commands and exfiltration of files from victims via the download command.
Across the cited reporting, Sliver appears both as attacker infrastructure and as a delivered payload. It was observed as a live Ubuntu-based C2 server in an exposed attacker environment, including one case where local Sliver client configuration was recovered from /root/.sliver-client/configs/root_localhost.cfg and deployers connected to the local Sliver API. In the same operation, Sliver beacons were used to deploy stock Chisel binaries to Linux victims, establish reverse SOCKS5 tunnels, persist as xsync via systemd or cron, and help build an SMTP proxy network; recovered state artifacts showed one completed deployment wave affecting 230 Linux beacons in March 2026. Separate reporting linked a second toolset on the same staging server to credential harvesting and deployment of Sliver beacons named update.bin, update-386.bin, and update-arm.bin, with exfiltration to cdn[.]cloudfront-js[.]com:8443/u.
The content also documents Sliver delivery in multiple intrusion chains. BI.ZONE reported exploitation of CVE-2025-55182 (React2Shell) to deploy a Sliver implant from keep.camdvr[.]org:8000/BREAKABLE_PARABLE5; that implant connected to keep.camdvr[.]org and persisted either as /usr/bin/sshd-agent with a systemd service or through user-space crontab and .bashrc entries. Positive Technologies described a Versatile Werewolf infection chain in which a malicious appwiz.cpl, packed with UPX and obfuscated with Oreans Code Virtualizer, was side-loaded by Fondue.exe to deploy a Sliver implant in memory; that implant contacted curtainbeatdisturbance[.]com, created the mutex MediumTurquoiseBeige, and persisted via a scheduled task named in the format MicrosoftEdgeUpdateTaskMachineUA{GUID}. Proofpoint observed Bumblebee dropping Sliver alongside Cobalt Strike, shellcode, and Meterpreter. Other reporting noted third parties confirming delivery of Sliver and Bokbot payloads, and React2Shell exploitation in Russia resulting in final payloads including Kaiji, Rustobot, and the Sliver implant.
Threat-actor associations in the content include DEV-0237, which Microsoft reported began replacing Cobalt Strike with Sliver around June 2022, and Royal-associated operators, who were described as prioritizing alternatives to Cobalt Strike, particularly Sliver. Sliver was also listed among open-source tools acquired by threat actors in intrusion set C0018. Additional reporting stated that exploitation of Palo Alto firewall vulnerabilities commonly led to use of the Sliver C2 platform for external communication. The content further notes that Sliver has become increasingly popular among threat actors because it is open source and readily obtainable from GitHub.
Detection and malware-analysis details in the content include AhnLab detections of signed Sliver builds as Trojan/Win.Sliver.R774471, and references to Sliver binaries compiled with the garble obfuscation tool. Specific indicators directly mentioned in the content include 213.136.80[.]73, 38.242.204[.]245, keep.camdvr[.]org, curtainbeatdisturbance[.]com, cdn[.]cloudfront-js[.]com:8443/u, the mutex MediumTurquoiseBeige, and filenames update.bin, update-386.bin, update-arm.bin, BREAKABLE_PARABLE5, /usr/bin/sshd-agent, and /var/tmp/.xs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
20 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The March 2026 record on port 8080 was more substantial: 79 files across 13 subdirectories totaling 4 MB. Key contents included a pwnkit/ directory with CVE-2021-4034 (834 KB across 7 files), a TLS certificate and private key pair for C2 authentication, and a Python HTTP C2 script. A complete staging directory confirming the operator pursues privilege escalation on compromised hosts.
React2Shell in Russia: ... In some cases, the final payloads were the Kaiji and Rustobot botnets and the Sliver implant.
More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE 2024-0012 is an authentication bypass vulnerability affecting unpatched versions of Palo Alto Networks Next-Generation Firewalls. | Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux.
Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux. | More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE-2024-9474 is a privilege escalation vulnerability that allows a PAN-OS administrator with access to the management web interface to execute root-level commands, granting full control over the affected device.
Check Point researchers said the tool is being discussed on underground forums, where hackers are exchanging instructions on how to deploy it against three Citrix NetScaler flaws disclosed last week: CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424. The most critical of these, CVE-2025-7775, allows unauthenticated remote code execution.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
“KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…” | On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. | “KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…”
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
"On some machines, the attackers deployed Sliver framework, an implant that provided them with full remote control of compromised systems."
“we found… backdoors… starting with the Sliver implant… Both download Sliver implants, and both connected back to the same server…”
In versions 1.5.43 and earlier, the netstack does not limit traffic between Wireguard clients... https://hngnh.com/posts/Sliver-CVE-2025-27093/
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer... The applet loading results in the deployment of a Sliver post-exploitation framework implant within the Fondue.exe memory.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.
UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL.
IP 67.217.57[.]240 December 2025 Sliver C2 infrastructure
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
Sliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.
KrustyLoader, which is typically used for dropping Sliver backdoors.
During analysis, researchers found that this binary is a payload generated with Sliver. Sliver is an open source cross-platform adversary emulation/red team framework...
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.
Sliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.
Sliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
"...utilizing tools such as the open-source Sliver and their custom DTrack malware to move laterally and maintain persistence..."
“The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat.”
"The group also used tooling such as Cobalt Strike, Sliver, and multiple web shells..."
“The attackers attempted to use a Sliver shell implant to elevate privileges.”
Several days later, on March 2, our network scans identified a Sliver C2 server on port 31337.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueT1583.003 Virtual Private Server C2 and Chisel tunnel aggregation hosted on Contabo VPS (AS51167)
Initial Access
3 techniquesAt that point, they captured a victim’s credentials, which led them to query Active Directory.
The remote address field reveals many victims connected through Cloudflare edge IPs ... consistent with web application exploitation for initial access.
Soon enough, an Initial Access Broker (IAB) ... used a phishing campaign and executed offensive hacking tool Sliver on the endpoint.
Execution
5 techniquesAlso present is a diagnostic script that selects five active beacons and tasks them each a shell command that checks for the following ... Presence of persistence artifacts, such as the cron entry or systemd service
The malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
A framework created by cybersecurity researcher Muhammad Osama supports automated penetration testing. Dubbed HexStrike-AI, it connects large language models to more than 150 existing security tools, running them in sequence with retry logic and error recovery.
run-script.ps1, a PowerShell script to load and execute code via PowerShell. The file contains: powershell -w hidden -ep bypass -c "I''E''X...DOWNLOADDaTa(...)"
T1059.004 Unix Shell Shell payloads issued through Sliver Execute RPC
Persistence
4 techniquesAlso present is a diagnostic script that selects five active beacons and tasks them each a shell command that checks for the following ... Presence of persistence artifacts, such as the cron entry or systemd service
The malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
At that point, they captured a victim’s credentials, which led them to query Active Directory.
Privilege Escalation
5 techniquesAlso present is a diagnostic script that selects five active beacons and tasks them each a shell command that checks for the following ... Presence of persistence artifacts, such as the cron entry or systemd service
The malicious applet also creates a task in Windows Task Scheduler to gain persistence in the system. The task name has the following format: MicrosoftEdgeUpdateTaskMachineUA{GUID}.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
At that point, they captured a victim’s credentials, which led them to query Active Directory.
Stealth
9 techniquesNormally this is the point when we start changing strings and hoping for the best... Maybe the entropy in your binary is off because you wanted to use compression... Maybe the file needs some kind of spoofed Authenticode signature... we need to spend time hardening our binaries against static analysis.
This post is about that loader, which we call WasmForge ... You point it at a Go project and you get back a Windows or macOS binary that runs your tool but doesn’t look anything like it ... The third generates an outer Go binary containing a Wazero runtime, embeds the encrypted WASM module into the binary’s PE sections.
The loader compiles the original tool to WebAssembly, wraps it in a runtime that proxies syscalls and Win32 APIs back to the host, and ships the WASM payload encrypted inside an outer Go binary disguised as a real piece of infrastructure software.
Once we had a working ghost-profile pipeline producing reliably clean binaries... The loader compiles the original tool to WebAssembly, wraps it in a runtime... and ships the WASM payload encrypted inside an outer Go binary disguised as a real piece of infrastructure software.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
At that point, they captured a victim’s credentials, which led them to query Active Directory.
the C# dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
Sliver – We tested ... execute-assembly against Seatbelt and Rubeus ... Watching execute-assembly Rubeus.exe kerberoast complete successfully against a domain controller, through a WASM-bridged COM call into the CLR running a loaded Rubeus assembly, was significantly more rewarding ...
On the victim side, the binary is dropped as a hidden dot-prefixed file and persisted at '/var/tmp/.xs.'
Defense Impairment
1 techniqueMaybe the file needs some kind of spoofed Authenticode signature... Last month one of our build pipelines to obfuscate Sliver started getting hit at 100% by AhnLab... every single binary that we’d faked a digital signature for was detected with that exact rule.
Discovery
1 techniqueSliver – We tested beacon and session implants ... file I/O, process listing ... Tribunus ... standard commands like shell, ps, netstat, whoami .
Lateral Movement
1 techniqueEach beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999.
Command and Control
11 techniquesURI patterns and PCAPs analysis yielded evidence of both English word type encoding within Sliver and Gzip formatting.
Some Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
The threat intelligence company said it found source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration after the threat actor behind the operation left two open directories on a command-and-control (C2) server ('213.136.80[.]73') without any authentication.
Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication... multiple devices contacted the Sliver-linked IP address 77.221.158[.]154 using HTTP to retrieve Gzip files.
По MITRE ATT&CK это конкретные техники: Proxy ( T1090, Command and Control ) - маршрутизация C2-трафика через промежуточный узел
Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999.
Staged in one of the open directories Sliver-integrated SMTP proxy deployment toolkit, along with Chisel tunneling and proxy binaries for most Linux CPU architectures, such as AMD64, ARM64, and x86. On the victim side, the binary is dropped as a hidden dot-prefixed file and persisted at '/var/tmp/.xs.'
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
The applet loading results in the deployment of a Sliver post-exploitation framework implant within the Fondue.exe memory.
External connectivity during this phase also featured TCP connection attempts over uncommon ports for common application protocols... devices utilized destination ports such as 8089, 3939, 8880, 8084, and 9999 for the HTTP protocol.
Several targeted customer devices were observed initiating TLS/SSL connections to rare external IPs with self-signed TLS certificates following exploitation... These TLS/SSL sessions were typically established without the specification of a Server Name Indication (SNI).
Other
2 techniquesSophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework.
The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts... indicative of a broader attack framework focused on evading detection... a lab that uses an iterative approach to developing and testing malware against the Sophos, CrowdStrike, and Windows Defender endpoint detection and response (EDR) agents.
IOCs tracked for this family
117 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
158 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source command-and-control framework used here to manage Linux beacons, deploy tooling, execute payloads, and maintain the broader operation's beacon pool.
Used as a command-and-control server within the attacker’s lab environment to support post-exploitation testing and operations.
A post-exploitation command-and-control framework used here as the C2 server within the attacker’s testing environment.
Referenced as a command-and-control framework associated with application-layer C2 traffic that can be masked to evade ML-based IDS detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.