{
	"id": "b1f88f68-8ab7-479f-9b74-fda247005e9f",
	"created_at": "2026-04-06T00:19:51.010488Z",
	"updated_at": "2026-04-10T03:24:30.064462Z",
	"deleted_at": null,
	"sha1_hash": "7e67d8e349bead5fa7c333764a7e623a74b3a52a",
	"title": "Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86669,
	"plain_text": "Discovering Splinter: A First Look at a New Post-Exploitation Red\r\nTeam Tool\r\nBy Dominik Reichel\r\nPublished: 2024-09-19 · Archived: 2026-04-05 16:43:22 UTC\r\nExecutive Summary\r\nThis article discusses the discovery of a new post-exploitation red team tool called Splinter that we found on\r\ncustomer systems using Advanced WildFire’s memory scanning tools. Penetration testing toolkits and adversary\r\nsimulation frameworks are often useful for identifying potential security issues in a company's network. However,\r\nthese tools can sometimes end up in the hands of criminals, highlighting the need for continuous tracking and\r\ndetection of them.\r\nPalo Alto Networks customers are better protected from the Splinter post-exploitation tool through Advanced\r\nWildFire with its different memory analysis features. The Advanced WildFire machine-learning models and\r\nanalysis techniques have been reviewed and updated in light of the IoCs shared in this research. Advanced\r\nWildFire classifies the Splinter malware samples discussed in this article as malicious.\r\nCortex XDR and XSIAM help detect and block known samples, and Behavioral Threat Protection monitors for\r\npost-exploitation activity.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nIntroduction to Splinter\r\nEarlier this year, our Advanced WildFire memory scanning tools discovered a new post-exploitation red team tool\r\non a customer system. By searching our sample telemetry database, we discovered that several customers were\r\naffected.\r\nSeveral string artifacts in the samples, as well as the collection of features, make it evident that Splinter is a red\r\nteam tool. This tool’s name is its internal project name, which was left behind in a debug artifact. We don't yet\r\nknow who developed Splinter – we have only a few hints that don't lead to a significant conclusion.\r\nWhen used responsibly, penetration testing toolkits and adversary simulation frameworks can significantly\r\nimprove a company’s security. Their primary purpose is to identify potential vulnerabilities in a company's\r\nnetwork before an attacker exploits them.\r\nMany of these toolkits include post-exploitation capabilities. Post-exploitation tools are often custom developed\r\nwith the goal of expanding initial access gained and simulating long-term access on a target system.\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 1 of 7\n\nThe most well-known example of this sort of toolkit is Cobalt Strike. Although it’s proprietary software that only\r\nlegal clients can acquire, sometimes it ends up in the hands of criminals.\r\nDuring our analysis, we have not identified threat actor activity associated with the Splinter tool set.\r\nTechnical Analysis\r\nSplinter is developed in Rust, a relatively new programming language that’s recommended for developing\r\nmemory-safe software. However, it has densely layered runtime code, which amounts for up to 99% of a\r\nprogram's code. This density makes analysis a real challenge for malware reverse engineers.\r\nThe sample found on a customer system (SHA-256:\r\n1962cef10cf737300d04a23139122abcc8e8803e54dfcb63054140fbe549bed0) is a 64-bit executable that was\r\nlinked with debug information that has the following PDB path:\r\nC:\\gitlab-runner\\builds\\_fUzhMf8i\\0\\h3upperbounds\\red-team\\implant\\splinter_core\\target\\release\\deps\\implant_exe.pdb\r\nAs this file path shows, the project name of this post-exploitation tool is Splinter. A single sample is defined as an\r\nimplant, a typical term for a red-team post-exploitation tool. Other samples are compiled as DLLs with a PDB\r\npath ending with implant_dll.pdb.\r\nWhile Rust samples are typically large, ranging from a few hundred kilobytes to a few megabytes, a typical\r\nSplinter sample is exceptionally large at around 7 MB. This is mostly due to its use and of large external libraries\r\nthat are statically linked into the file. These are referred to as crates in Rust terminology.\r\nThe sample uses the following crates:\r\nindexmap (2.2.3)\r\nfutures-channel (0.3.30)\r\ntracing-core (0.1.32)\r\nmatchers (0.1.0)\r\nhyper-rustls (0.24.2)\r\nregex-syntax (0.6.29, 0.8.2)\r\ntokio-util (0.7.10)\r\nhashbrown (0.14.3, 0.14.0)\r\ntracing-subscriber (0.3.18)\r\ntokio-rustls (0.24.1)\r\nparking_lot (0.12.1)\r\nonce_cell (1.19.0)\r\nsharded-slab (0.1.7)\r\nsocket2 (0.5.5)\r\nwindows-core (0.51.1)\r\nsct (0.7.1)\r\nurl (2.5.0)\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 2 of 7\n\npercent-encoding (2.3.1)\r\nlazy_static (1.4.0)\r\nsmallvec (1.13.1)\r\nserde (1.0.196)\r\nspin (0.9.8)\r\ntinyvec (1.6.0)\r\nring (0.17.7)\r\nregex-automata (0.4.5, 0.1.10)\r\nbacktrace (0.3.69)\r\ncrossbeam-channel (0.5.11)\r\nserde_json (1.0.113)\r\nanyhow (1.0.79)\r\nipnet (2.9.0)\r\nencoding_rs (0.8.33)\r\nreqwest (0.11.24)\r\nrustc-demangle (0.1.23)\r\nwant (0.3.1)\r\ntracing-appender (0.2.3)\r\nmio (0.8.10)\r\nunicode-normalization (0.1.22)\r\nrustls-pemfile (1.0.4)\r\nmime (0.3.17)\r\nparking_lot_core (0.9.9)\r\nbytes (1.5.0)\r\nhttparse (1.8.0)\r\nfutures-util (0.3.30)\r\nthread_local (1.1.7)\r\nrustls-webpki (0.101.7)\r\ntime (0.3.34)\r\nh2 (0.3.24)\r\nuntrusted (0.9.0)\r\nrmp-serde (1.1.2)\r\ntracing-log (0.2.0)\r\nfutures-core (0.3.30)\r\nregex (1.10.3)\r\nlog (0.4.20)\r\nidna (0.5.0)\r\nuuid (1.7.0)\r\ntokio (1.36.0)\r\nhttp (0.2.11)\r\nbase64 (0.21.7)\r\nslab (0.4.9)\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 3 of 7\n\nhyper (0.14.28)\r\nrustls (0.21.10)\r\nLike many other post exploitation tools, Splinter uses a configuration data structure in JSON format that contains\r\nthe necessary information for its operations. The data structure is internally named ImplantConfig and contains the\r\nfollowing information:\r\nid (correlation_id in older samples): Implant ID [string]\r\nweakness_uuid: Unknown ID (probably related to an exploited vulnerability) [string]\r\nendpoint_uuid: Targeted endpoint ID [string]\r\nis_test_implant: Whether the file is a test sample [boolean]\r\nc2_server_address: Command and control (C2) server address [string]\r\nc2_port: C2 server port [int]\r\nc2_user: C2 username [string]\r\nc2_password: C2 user password [string]\r\nlog_path: Path of log file [string]\r\nlog_env: Log level [string]\r\nAs an example, our Splinter sample contains the following data:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n{\r\n\"id\":\"fd06a788-75e9-4f27-b5f5-ae8ea636dba2\",\r\n\"weakness_uuid\":\"00000000-0000-0000-0000-000000000000\",\r\n\"endpoint_uuid\":\"00000000-0000-0000-0000-000000000000\",\r\n\"is_test_implant\":false,\r\n\"c2_server_address\":\"192.168.5[.]151\",\r\n\"c2_port\":28069,\r\n\"c2_user\":\"BrqUjhYhvRwkKpyQZZKf\",\r\n\"c2_password\":\"JjAxsdEPZqRJuFebHyKQ\",\r\n\"log_path\":null,\r\n\"log_env\":null\r\n}\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 4 of 7\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nUpon execution, the sample parses the configuration data and it uses the network information to connect to the C2\r\nserver using HTTPS with the login credentials. Splinter implants are controlled by a task-based model, which is\r\ncommon among post-exploitation frameworks. It obtains its tasks from the C2 server the attacker has defined.\r\nSplinter tasks have the following post-exploitation features:\r\nExecute a Windows command\r\nExecute a module via remote process injection\r\nUpload a file from the victim’s system to the attacker’s server\r\nDrop a file from the attacker’s server to the victim’s system\r\nGather information from a certain cloud service account\r\nSelf-delete\r\nSplinter uses the classic process injection method as an option for running additional modules.\r\nFigure 1 shows thread creation in a remote process that runs a PE loader shellcode that in turn executes the\r\npayload. Both the PE loader and the payload are written to the remote process defined by the attacker.\r\nFigure 1. Remote process injection to run additional payloads.\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 5 of 7\n\nSplinter uses the following URL paths on the attacker’s C2 server to synchronize tasks, maintain a heartbeat\r\nconnect, and download or upload files:\r\n/implant/task_created_events: Used for task synchronization\r\n/implant/task_completed_events: Used for task status processing\r\n/implant/files/: Used to download/upload files\r\n/implant/heartbeat: Used to check if the implant is alive and has a connection to the C2 server\r\nAll network communication is encrypted with HTTPS.\r\nConclusion\r\nIn this article, we reveal Splinter, a new post-exploitation red team tool that we have found on several client\r\nsystems. It has a standard set of features commonly found in penetration testing tools and its developer created it\r\nusing the Rust programming language. While Splinter is not as advanced as other well-known post-exploitation\r\ntools like Cobalt Strike, it still presents a potential threat to organizations if it is misused.\r\nThis discovery emphasizes the increasing number of red-teaming tools available. There is therefore an increasing\r\nvariety of ways that an organization’s environment could reflect threat actor-style activity. The increasing variety\r\nunderscores the importance of staying up to date on prevention and detection capabilities, since criminals are\r\nlikely to adopt any techniques that are effective for compromising organizations.\r\nPalo Alto Networks customers receive better protection from this threat through Advanced WildFire. The\r\nAdvanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of\r\nthe IoCs shared in this research.\r\nCortex XDR and XSIAM help detect and block known samples, and Behavioral Threat Protection monitors for\r\npost-exploitation activity.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSample Hash (SHA-256)\r\n1962cef10cf737300d04a23139122abcc8e8803e54dfcb63054140fbe549bed0\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 6 of 7\n\nSource: https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nhttps://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/"
	],
	"report_names": [
		"analysis-pentest-tool-splinter"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434791,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e67d8e349bead5fa7c333764a7e623a74b3a52a.pdf",
		"text": "https://archive.orkl.eu/7e67d8e349bead5fa7c333764a7e623a74b3a52a.txt",
		"img": "https://archive.orkl.eu/7e67d8e349bead5fa7c333764a7e623a74b3a52a.jpg"
	}
}