{
	"id": "ca2312f7-df2c-4fc3-a5e3-25d37ae02327",
	"created_at": "2026-04-06T01:29:18.062798Z",
	"updated_at": "2026-04-10T03:30:33.286443Z",
	"deleted_at": null,
	"sha1_hash": "c77ea1c9db4d0cae3e9e214f667575fb29efc408",
	"title": "Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3791072,
	"plain_text": "Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation\r\nAimed at Y Combinator\r\nPublished: 2024-11-12 · Archived: 2026-04-06 01:10:31 UTC\r\nTABLE OF CONTENTS\r\nInside the Sliver FrameworkInitial Findings - IP Address and Domain LinkageInfrastructure Expansion -\r\nIdentifying Linked Server via Certificate AnalysisConclusionNetwork ObservablesSliver Implant\r\nInside the Sliver Framework\r\nSliver, a cross-platform command-and-control (C2) framework developed by Bishop Fox, was originally created\r\nto support adversary emulation and red teaming. However, its robust functionality has led to cybercriminals and\r\nnation-state groups adopting it as a stealthy alternative to more recognizable tools like Cobalt Strike.\r\nCore Capabilities:\r\nCross-Platform Operation: Works on Windows, macOS, and Linux.\r\nEncrypted Communications: Supports secure channels via mTLS, WireGuard, HTTP(S), and DNS\r\nprotocols.\r\nAdvanced Payload Options: Provides features like process injection and in-memory execution of .NET\r\nassemblies.\r\nModular Design: Allows users to expand capabilities through custom payloads and third-party\r\nintegrations.\r\nAdoption by Threat Actors:\r\nSupply Chain Attack via Korean Software Vendor: A compromised Korean software installer delivered\r\nSliver, enabling attackers to mask their presence within seemingly legitimate applications-an evolving\r\ntactic in supply chain threats.\r\nNorth Korean Group Using Play Ransomware: North Korean actors deployed Sliver's stealth\r\ncapabilities to facilitate the execution of Play ransomware, underscoring its utility in advanced evasion\r\ntechniques.\r\nNitrogen Campaign Leading to BlackCat Ransomware: In a recent Nitrogen operation, Sliver provided\r\ninitial access and reconnaissance capabilities, eventually leading to the deployment of BlackCat\r\nransomware.\r\nDetection Challenges: Sliver's flexibility in payload customization, protocol use, and rapid development updates\r\nmake it difficult to detect using traditional methods. Its ability to mimic legitimate traffic and quickly adapt to\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 1 of 8\n\ndetection efforts poses significant challenges for defenders relying on signature-based tools.\r\nLigolo-ng Overview\r\nLigolo-ng is a tunneling and pivoting tool that allows security professionals to securely access internal networks\r\nvia a reverse TCP/TLS connection. Unlike traditional SOCKS proxies, it leverages a TUN interface, enabling\r\nseamless traffic routing through compromised machines.\r\nLigolo-ng is a favored tool among penetration testers because of its ease of use and cross-platform compatibility.\r\nIt supports lateral movement within complex network environments, making it ideal for stealthy internal network\r\nexploration and effective pivoting during security assessments.\r\nFigure 1: Ligolo-ng GitHub README.\r\nInitial Findings - IP Address and Domain Linkage\r\nDuring our analysis of recent entries in Hunt's C2 Infrastructure feature, we identified an IP address flagged as a\r\nSliver controller: 179.60.149[.]75 , hosted on the HOSTKEY ASN in the United States. The IP exhibited active\r\nSliver C2 ports on 3333, 22813, and 43215, alongside Ligolo-ng on port 22913. This discovery led us to\r\ninvestigate the infrastructure surrounding this server further.\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 2 of 8\n\nFigure 2: Overview of the Sliver C2 in Hunt.\r\nAdditional analysis uncovered an associated domain, ycombinator.serveblog[.]net , crafted to resemble Y\r\nCombinator, a well-known venture capital firm. The similarity to the legitimate brand name suggests a potential\r\nattempt to establish trust or credibility, possibly to deceive users or networks that recognize the firm's status within\r\nthe tech community.\r\nUpon navigating to this spoofed domain, we observed an immediate HTTP redirect to Y Combinator's legitimate\r\nwebsite-a tactic likely intended to deflect suspicion while maintaining a functional appearance.\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 3 of 8\n\nFigure 3: Screenshot of the legitimate Y Combinator website after navigating to ycombinator.serveblog[.]net\r\n(Source: URLScan).\r\nWe combed through multiple malware repositories and encountered a malicious ELF file communicating with the\r\nsubject IP over port 443. Named \" cloud \" (SHA-256:\r\nc8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84), this file was flagged by 31\r\nvendors on VirusTotal as a Sliver implant.\r\nAlthough executing the file in a local sandbox environment did not yield active network communications, HTTP\r\nrequests associated with this implant were visible on VirusTotal, revealing specific URL paths on the target server.\r\nThe most commonly accessed paths included:\r\n/data/bundles\r\n/data/javascripts\r\n/data/authenticate\r\nAttempts to open these URLs in a browser resulted in 404 responses, indicating the paths are inactive or\r\naccessible only under certain conditions.\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 4 of 8\n\nFigure 4: Screenshot of HTTP requests from the Sliver implant (Source: VirusTotal).\r\nInfrastructure Expansion - Identifying Linked Server via Certificate Analysis\r\nOver the past two weeks, 179.60.149[.]75 frequently cycled through TLS certificates, including those\r\ncommonly associated with Sliver C2 infrastructure. Among these, one certificate issued by Let's Encrypt uses the\r\npreviously identified spoofed domain, while others bear the \"multiplayer\" subject common name, the default\r\ncertificate widely used to track framework infrastructure.\r\nFigure 5: TLS Historical records for the first Sliver C2 in Hunt.\r\nSeveral certificates use the generic common name \"localhost.\" In our analysis of recent C2 deployments, this\r\ndetail has emerged as a solid secondary indicator of command-and-control infrastructure linked to this framework.\r\nUsing \"localhost\" likely reflects an attempt to mislead researchers by mimicking certificates typically used for\r\ntesting.\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 5 of 8\n\nIn addition to the common name, many certificates include random words or fictitious company names in the\r\norganization field, often paired with geographic data, such as city names from Canada or Japan. This mix of\r\nnatural and fake details adds obfuscation, complicating attribution. Despite these challenges, this pattern remains a\r\nconsistent marker of the infrastructure associated with this framework.\r\nFigure 6: Screenshot of one of the localhost certificates showing the random organization name and location in\r\nJapan (Hunt).\r\nPivoting on one of the localhost certificates (SHA-256:\r\n252A651B3BBAB4F3B84C2E8EE9A37C3E899094CFD7366C814C1EAE1632DA2668) identified one\r\nadditional IP, 179.60.149[.]4 , hosted on the same ASN and sharing this certificate.\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 6 of 8\n\nFigure 7: Shared TLS certificates between two Sliver C2s (Hunt).\r\nThis IP closely matches the original in port configuration, hosting active Sliver C2 ports alongside Ligolo-ng.\r\nUsing similar tools and settings suggests the potential for additional infrastructure linked to this campaign.\r\nAt the time of writing, no domains were associated with 179.60.149[.]4.\r\nFigure 8: Snippet of IP overview in Hunt for the additional server acting as a Sliver C2 (Hunt).\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 7 of 8\n\nThe above highlights the operators' reliance on the Sliver framework and Ligolo-ng to achieve their objective,\r\nwhatever that may be. With a clearer understanding of the tactics and tools involved, and no further leads, we can\r\nmove to the conclusion.\r\nConclusion\r\nOur research traced a small set of infrastructure leveraging the Sliver C2 framework and Ligolo-ng, connected\r\nthrough distinct indicators such as TLS certificates and port configurations. Alongside this IP, we identified an\r\nadditional server.\r\nWe also observed a domain crafted to mimic a company known for supporting startups, likely aiming to establish\r\ncredibility with potential targets.\r\nThese findings emphasize the importance of monitoring subtle changes in known malicious infrastructure\r\nindicators, which can reveal additional IPs that may otherwise go undetected. Proactive analysis remains essential\r\nin tracking and disrupting these similar campaigns.\r\nNetwork Observables\r\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Notes\r\n179.60.149[.]75 US HOSTKEY ycombinator.serveblog[.]net\r\nSliver C2 and Ligolo-ng\r\nused likely to target Y\r\nCombinator.\r\n179.60.149[.]4 US HOSTKEY N/A\r\nSliver C2 \u0026 Ligolo-ng\r\nServer.\r\n*Shares TLS certificate w/\r\n179.60.149[.]75.\r\nSliver Implant\r\nFile Name File Type SHA-256\r\ncloud ELF 64-bit c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84\r\nSource: https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nhttps://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc"
	],
	"report_names": [
		"sliver-c2-ligolo-ng-targeting-yc"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438958,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c77ea1c9db4d0cae3e9e214f667575fb29efc408.pdf",
		"text": "https://archive.orkl.eu/c77ea1c9db4d0cae3e9e214f667575fb29efc408.txt",
		"img": "https://archive.orkl.eu/c77ea1c9db4d0cae3e9e214f667575fb29efc408.jpg"
	}
}