{ "id": "95df0e9c-baa1-4d85-9967-ea0cf9089c75", "created_at": "2026-04-06T00:07:53.434763Z", "updated_at": "2026-04-10T03:34:25.050128Z", "deleted_at": null, "sha1_hash": "3bd09ba32223bf4adfaa5f22f0b9d97846a3c5eb", "title": "Sliver Case Study: Assessing Common Offensive Security Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 267102, "plain_text": "Sliver Case Study: Assessing Common Offensive Security Tools\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 22:45:37 UTC\r\nThe Use of the Sliver C2 Framework for Malicious Purposes\r\nThe proliferation of Cobalt Strike during the early 2020s has been undeniable, and its impact unquestionable. In\r\nresponse to this challenge, the detection strategies of defenders have steadily matured. Consequently, threat actor\r\ndecision making with regards to tooling is likely evolving too. We therefore decided to identify and track Cobalt\r\nStrike “alternatives”, specifically off-the-shelf Offensive Security Tools (OST).\r\nIn this post we will discuss the Sliver C2 framework and its usage for potentially malicious purposes since the start of\r\n2022.\r\nSliver is a Golang based implant and thus is compatible with the major operating systems. Our focus centered on the\r\ndetection of new Sliver samples associated with Linux, MacOS, and Windows operating systems, and the extracted\r\nnetwork infrastructure contained within those samples. To understand threat actor TTPs, we subsequently tracked\r\nnetwork telemetry for the wider C2 infrastructure in cases where Sliver was deployed.\r\nKey Findings\r\nSliver utilized as a beachhead for the initial infection tool-chain\r\nSliver utilized in the ransomware delivery framework for attacks observed in the wild\r\nSliver deployed via active opportunistic scanning and possible exploitation of Log4j / VMware Horizon\r\nvulnerabilities\r\nSliver utilized in the targeting of organizations within Government, Research, Telecom, and University sectors,\r\nin addition to sporadic victims of opportunity\r\nIdentification of Sliver Samples\r\nSliver’s current advantage lies in its obscurity alongside other less commonly utilized OSTs, with most organizations\r\nstill focused on Cobalt Strike detection. This opens a possible gap in coverage – no one can be expected to detect all\r\nthe things. This gap exposes organizations to the risk of these lesser known, yet still highly capable, OST C2\r\nframeworks.\r\nDuring Q1 of 2022, we observed 143 Sliver samples, detected with the potential for usage as a first stage tool in\r\nmalicious activity. For comparison, 4,455 samples of Cobalt Strike were observed within the same time-period. Based\r\non the continued prevalence of Cobalt Strike, organizations focusing on detection of that toolset are certainly justified.\r\nHowever, if organizations have the resources to do so, we strongly recommend some study of Sliver to identify\r\npossible detection opportunities.\r\nThis should be considered an anecdotal analysis of samples, as no detection rule is infallible, and no malware\r\ncorpus complete. It is also not feasible to distinguish between legitimate versus malicious use for the totality of\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 1 of 8\n\nsamples identified\r\nWhat follows is our analysis of two distinct malicious campaigns which leveraged Sliver for C2 purposes.\r\nSliver Campaign 1 – “Scan \u0026 Exploit”\r\n193.27.228.127 (SELECTEL, RU)\r\nC2 PORTS: 8888, 13338, 23338, 33338\r\nBetween 03 February – 04 March 2022 Sliver samples were discovered, utilizing Russian-hosted infrastructure, in the\r\ntargeting of organizations in various sectors distributed globally. These samples and associated C2 IP\r\n(193.27.228.127) were deemed malicious, based on observations of 193.27.228.127 sweeping ranges in an\r\nindiscriminate manner, likely seeking exploitation opportunities.\r\nData from GreyNoise further highlighted the use of 193.27.228.127 for malicious purposes, targeting Log4j and\r\nExchange (ProxyShell) vulnerabilities.\r\nBased on the identification of Virlock samples (as discussed later in this blog) it is assessed that in some cases the\r\nactors sought to monetize the accesses they had gained.\r\nIn one instance, a victim was observed connecting to TCP/80 on 193.27.228.127, potentially indicative of an\r\nexploitation of Log4j, with subsequent connections to 193.27.228.127:8888. This victim was identified running\r\nVMware Horizon and was therefore likely vulnerable to CVE-2021-44228 and CVE-2021-45046.\r\nThe use of TCP/8888 aligns with several identified Sliver samples configured to communicate with 193.27.228.127.\r\nAfter a period of approximately 14 days, we observed the C2 communications ‘migrate’ to TCP/13338, TCP/23338,\r\nand TCP/33338.\r\nNOTE: TCP/8888 is associated with Sliver’s default mTLS configuration, the use of the additional TCP ports ending\r\nin *3338 appeared more unique to this threat actor and were utilized in circumstances where victim communications\r\npersisted over extended time-periods.\r\nThe following samples (Table 1) were observed communicating with C2 IP 193.27.228.127.\r\nSHA-256 Hash\r\nFirst\r\nDetected\r\nSample Name\r\n1f95397c4634f3348f3001a02eab269148f4c08271c2e2461905a4359f7c4761\r\n2022-02-\r\n04\r\nugly.exe\r\nd8241e046cb9efcfa7ce733249d580eacff996d8669adbe71019eedafb696a55\r\n2022-02-\r\n09\r\nSENIOR_REALITY.exe\r\n08137096b85a3a2611249bb57ba9ace4e8efc9ba28cfddd8557edc3e11e9690c\r\n2022-02-\r\n13\r\nPRIMARY_FLUTE.exe\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 2 of 8\n\nSHA-256 Hash\r\nFirst\r\nDetected\r\nSample Name\r\n2190a7d8d7eafd4af56b01d9a828ab2dc553a804ccda4c291dce51ce01da81f8\r\n2022-02-\r\n16\r\ninstall.exe\r\nWhen generating payloads,  the Sliver configurator outputs a binary based on a naming convention of\r\nRANDOMWORD1_RANDOMWORD2.exe by default.\r\nIn this case, Sliver was utilized for C2 communications in the first stage of the breach activity. A subsequent sample,\r\nidentified as Atera Remote Management software, also communicated with 193.27.228.127. This sample was first\r\nuploaded to VirusTotal on February 11, 2022. It appeared the actor used these two tools in concert, potentially\r\nswitching to the use of Atera after initial compromise was achieved.\r\nAtera Sample\r\nSHA-256: 0ef7eebec233eb5e4156a8a4715c8d21d8930ea97c19780fc274a62260499412\r\n176.113.115.107 (Red Bytes LLC, RU)\r\nC2 PORTS: 8888, 13338, 23338, 33338\r\nApproximately 30 days after first observing victim communications with 193.27.228.127, the actor was observed\r\nswitching victims to a new C2 IP (176.113.115.107), again assigned to a provider in Russia. As previously, victim\r\ncommunications continued over TCP/13338, TCP/23338, and TCP/33338.\r\n‘In-the-wild’ file names for samples communicating with 176.113.115.107 continued to point towards exploitation of\r\nLog4j and VMware Horizon vulnerabilities (Table 2).\r\nSHA-256 Hash Name Tool\r\nfc2b02476805361fc5042adfb40b529431151a9c7da2b21fa3fa73e98fba9f64 vmware_kb.exe Sliver\r\nd2958f7b646c092fe645cbdc4c7805490ff9d134c12fa8d945132e71880dd6fd vmware_kb.exe Sliver\r\n7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2 vmware_kb.exe Sliver\r\nc139a777b9b1bca0d7e43335d23c123171dbaceccf45a9eeaf359051e0d0be8e N/A PowerShell\r\nIn addition to the above referenced samples, a sample with possible Virlock ransomware capabilities was also\r\nobserved communicating with 176.113.115.107. This sample was first uploaded to VirusTotal on March 11, 2022. This\r\nfinding is indicative of the actor attempting to monetize the access gained by deploying ransomware on a\r\ncompromised host. It is unclear whether ransomware deployment was the intended final goal in every case.\r\nVirlock Sample\r\nSHA-256: 2d6785797cd3f2bfb377b985efe55db0220e12e3c7b1e12ee83888b61a5ad8da\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 3 of 8\n\n45.9.148.243 (NICEIT, DM)\r\nC2 PORT: 8888\r\nFinally, in recent days an additional Sliver sample was detected, communicating with a ‘new’ C2 IP (45.9.148.243)\r\nassigned to a provider in Dominica. Network telemetry data does not indicate any current victim communications and\r\nit is unclear how this sample / C2 IP is connected to this activity. Updates on this activity will be posted on Twitter via\r\n@teamcymru_S2.\r\nSliver Sample\r\nSHA-256: b9e95117e23e6a69e71441aef07f9683cf0682f34f8f84f876822d8143a05776\r\nOne of the challenges faced when tracking this activity was the volume of noise generated by the ongoing exploitation\r\nof hosts via vulnerabilities in utilities such as Log4j and Exchange. In several cases, we observed the same victim\r\nlikely compromised by multiple threat actors. However, what can be concluded is the apparent utilization of Sliver in\r\nmalicious activity, coupled with the continuous scanning, exploitation, and triage of victim infrastructure.\r\nThe activity associated with this cluster was previously commented on in other public reporting:\r\nSophos: Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers\r\nTrueSec: FIN12/Conti Syndicate Use TeamTNT Tools in Ransomware Attacks\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 4 of 8\n\nSliver Campaign #2 – Pakistan \u0026 Turkey\r\nThe second campaign identified leveraging Sliver was deemed malicious based on the domain name utilized by the\r\nactors, which appeared to target government entities in Pakistan and Turkey.\r\nThe detected Sliver samples communicated with ping.turkey.g0v.cq.cn, which resolved to IP 16.162.223.161\r\n(AMAZON-02, US).\r\nSliver Samples\r\nSHA-256: f301e581bb62b251abc7009a709fb163ceeb63de42625d6bfc2ac9a07d9d3adb\r\nSHA-256: a862e2d3aa3a74e23665010ded23510210927d3c056d645f32479be0974e057a\r\nNetwork telemetry data for 16.162.223.161 did not identify current victim communications, however this does not\r\nrule out ongoing or future malicious activity.\r\nPassive DNS data for 16.162.223.161 identified three further domains resolving to this IP address:\r\nnationalhelpdesk.pk\r\npkgov.org\r\nsngpl.org.pk\r\nGiven the similarity in the apparent spoofing of government entities, it was inferred that these domains related to the\r\ndomain (ping.turkey.g0v.cq.cn) identified in the Sliver samples.\r\nA further pivot on pkgov.org identified an email address (abdulrehm8282@gmail.com) used in the domain\r\nregistration. This email address was used in the registration of two further domains, which resolved to IP\r\n15.152.186.38 (AMAZON-02, US):\r\nntcgov.org\r\nuno-desk.org\r\nIn this case, network telemetry for 15.152.186.38:80 provided evidence of inbound connections from potential victims\r\nlocated in Pakistan.\r\nNTC is likely a reference to one of two Pakistani organizations; the National Telecom Corporation, or the\r\nNational Technology Council\r\nData from our Botnet Analysis and Reporting Service (BARS) indicated that a Cobalt Strike Beacon server was\r\nlistening on TCP/80 of 15.152.186.38, associated with the following shellcode sample:\r\nSHA-256: bc94d6ed7abfea4239e941817cdad65a0a243e2e4a718ef401db4cbbef0bf478\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 5 of 8\n\nPassive DNS data for ntcgov.org identified several subdomains, providing an insight into the intended targets of this\r\ncampaign:\r\ndxb.ntcgov.org\r\ngeo-raabta.ntcgov.org\r\ngeo-tv.ntcgov.org\r\nThe string dxb possibly relates to DXB, the airport code for Dubai International, and the string raabta possibly relates\r\nto a project undertaken by the Centre for Pakistan and Gulf Studies.\r\nIt could be inferred that this campaign was undertaken to gain insight into collaborative projects conducted between\r\nPakistan and the Gulf States (which includes Dubai, UAE).\r\nCONCLUSION\r\nWe have observed a steady increase in detected Sliver samples over Q1 of 2022, providing insight into actor\r\ndeployment methods and objectives. Of note we identified two separate campaigns which leveraged Sliver for likely\r\nmalicious purposes. The latter campaign highlighted the potential use of both Sliver and Cobalt Strike in conjunction\r\nwith each other. As previously stated, the threat posed by malicious utilization of Cobalt Strike has not diminished,\r\nhowever we would recommend that organizations also remain mindful of other OSTs, by applying resources to\r\ndevelop detection mechanisms for frameworks like Sliver.\r\nRECOMMENDATIONS\r\nImprove visibility\r\nConsider an attack surface management solution to track remediation of vulnerable assets.\r\nBe proactive\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 6 of 8\n\nMonitor (and hunt externally, beyond your network perimeter) for Sliver with community Snort / YARA rules,\r\nfor example:\r\nUK NCSC (link)\r\nTravis Green (link)\r\nMonitor and hunt internally within your infrastructures, look specifically for Sliver as an initial payload, or in\r\nconcert with other OSTs (like Cobalt Strike).\r\nResearch\r\nReview threat actor TTPs where Sliver was leveraged in previous malicious campaigns, for example:\r\nSANS (link)\r\n@pathtofile (link)\r\nAlexis Rodriguez (link)\r\nFURTHER READING\r\nIf you are concerned about the risks and vulnerabilities of external assets, you can access our eBook on Attack Surface\r\nManagement here: https://team-cymru.com/ebook-the-future-of-attack-surface-management-brad-laporte/\r\nINDICATORS OF COMPROMISE\r\nIP Addresses\r\n193.27.228.127\r\n176.113.115.107\r\n45.9.148.243\r\n16.162.223.161\r\n15.152.186.38\r\nDomains\r\nping.turkey.g0v.cq.cn\r\nnationalhelpdesk.pk\r\npkgov.org\r\nsngpl.org.pk\r\nuno-desk.org\r\ndxb.ntcgov.org\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 7 of 8\n\ngeo-raabta.ntcgov.org\r\ngeo-tv.ntcgov.org\r\nSHA-256 Hashes\r\n1f95397c4634f3348f3001a02eab269148f4c08271c2e2461905a4359f7c4761\r\nd8241e046cb9efcfa7ce733249d580eacff996d8669adbe71019eedafb696a55\r\n08137096b85a3a2611249bb57ba9ace4e8efc9ba28cfddd8557edc3e11e9690c\r\n2190a7d8d7eafd4af56b01d9a828ab2dc553a804ccda4c291dce51ce01da81f8\r\n0ef7eebec233eb5e4156a8a4715c8d21d8930ea97c19780fc274a62260499412\r\nfc2b02476805361fc5042adfb40b529431151a9c7da2b21fa3fa73e98fba9f64\r\nd2958f7b646c092fe645cbdc4c7805490ff9d134c12fa8d945132e71880dd6fd\r\n7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2\r\nc139a777b9b1bca0d7e43335d23c123171dbaceccf45a9eeaf359051e0d0be8e\r\n2d6785797cd3f2bfb377b985efe55db0220e12e3c7b1e12ee83888b61a5ad8da\r\nb9e95117e23e6a69e71441aef07f9683cf0682f34f8f84f876822d8143a05776\r\nf301e581bb62b251abc7009a709fb163ceeb63de42625d6bfc2ac9a07d9d3adb\r\na862e2d3aa3a74e23665010ded23510210927d3c056d645f32479be0974e057a\r\nbc94d6ed7abfea4239e941817cdad65a0a243e2e4a718ef401db4cbbef0bf478\r\nSource: https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nhttps://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools" ], "report_names": [ "sliver-case-study-assessing-common-offensive-security-tools" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434073, "ts_updated_at": 1775792065, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3bd09ba32223bf4adfaa5f22f0b9d97846a3c5eb.pdf", "text": "https://archive.orkl.eu/3bd09ba32223bf4adfaa5f22f0b9d97846a3c5eb.txt", "img": "https://archive.orkl.eu/3bd09ba32223bf4adfaa5f22f0b9d97846a3c5eb.jpg" } }