{
	"id": "1d2be5b1-ecda-4e55-9f82-c15c60e05cff",
	"created_at": "2026-04-06T00:21:11.637543Z",
	"updated_at": "2026-04-10T03:22:02.375724Z",
	"deleted_at": null,
	"sha1_hash": "f6761d9a54acb3b85cb271bbc73c9e82fb302ecd",
	"title": "Sliver C2 Being Distributed Through Korean Program Development Company - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2662091,
	"plain_text": "Sliver C2 Being Distributed Through Korean Program\r\nDevelopment Company - ASEC\r\nBy ATCP\r\nPublished: 2023-07-24 · Archived: 2026-04-05 19:56:56 UTC\r\nIn the past, AhnLab Security Emergency response Center (ASEC) had shared the “SparkRAT Being Distributed\r\nWithin a Korean VPN Installer” [1] case post and the “Analysis of Attack Cases: From Korean VPN\r\nInstallations to MeshAgent Infections” [2] case post which covered the SparkRAT malware being distributed\r\nthrough a Korean VPN service provider’s installer.\r\nASEC has recently identified similar malware strains being distributed while being disguised as setup files for\r\nKorean VPN service providers and marketing program producers. Unlike the past cases where SparkRAT was\r\nused, Sliver C2 was used in the recent attacks [3] and techniques to evade detection were employed.\r\nAs of now, most websites of the affected companies provide normal setup files available for download. It is\r\ntherefore uncertain whether the malware strain has been distributed as installers in official websites before being\r\nrectified like in past cases, or if there are other distribution paths. However, an investigation of the malware strains\r\ninvolved revealed that they were all related to the software provided by the same program development company.\r\nMost malware samples had certificates disguised as valid ones from this company. There were also multiple\r\nsamples signed with valid certificates.\r\nMalicious installers are still uploaded on the software download website provided by this company, so users may\r\nbe unaware of this fact and install the file in question. In light of these facts, it seems that the threat actor attacked\r\nthe development company and distributed installers with malware strains. Such types of attacks are steadily being\r\nlaunched from the first half of 2023.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 1 of 11\n\nFigure 1. Software download website of the company used for malware distribution\r\n1. Past Attack Cases\r\nFigure 2. Past attack flow\r\nExamining past cases show that a malicious setup file is uploaded to the website of a Korean VPN service\r\nprovider instead of the normal installer. Accordingly, users may mistakenly think that they have executed a normal\r\nsetup file, but a malware strain is also installed in the system and executed. The malicious installer in the initial\r\nattack was developed in .NET which simply created and executed the normal installer and the SparkRAT malware.\r\nSparkRAT is an open-source RAT type malware developed in Go lang. It provides features to control the infected\r\nsystem such as executing commands, exfiltrating information, and controlling processes and files.\r\nMalware files continued to be uploaded to the website of this VPN company afterward. To prevent the malware\r\nfrom being detected, the tactic changed from directly dropping the malware strain to installing SparkRAT through\r\na downloader. After SparkRAT (backdoor) was installed in the infected system, MeshAgent from MeshCentral\r\nwas additionally installed to be used for remote desktop features.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 2 of 11\n\n2. Analysis of the Malware Currently Used in Attacks\r\nFigure 3. Current attack flow\r\nUnlike the malicious installers of the past which were droppers that simultaneously installed the malware strain,\r\nthe currently used type is both a downloader and injector type malware. All malware strains used in the attacks\r\nincluding the installer were developed in Go lang and were all obfuscated. SparkRAT, which was used by the\r\nthreat actor in the past, is also a backdoor developed in Go lang. Dropper and downloader type malware types\r\ndeveloped in Go lang were also used in subsequent attack stages. Sliver C2 which is being detected recently is\r\nalso developed in Go lang. As such, it appears that the threat actor prefers the Go language for development.\r\nFigure 4. Obfuscated Go binary\r\nThe malicious installer connects to the C\u0026C server and downloads encrypted configuration data. When conditions\r\nmatch, Sliver C2 is downloaded. Notepad (notepad.exe), a normal program, is executed before Sliver C2 is\r\ninjected into this. Because these processes are carried out simultaneously with the task of creating and executing\r\nthe normal setup file, users may think the file is normal.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 3 of 11\n\nFigure 5. Normal installer created by the malicious file\r\nThe malicious installer also includes an anti-sandbox feature. The list of currently running processes is looked up\r\nand injection is only performed when a certain process is running. The list of processes to check for is encrypted\r\nat the following URL. The malware strain downloads this and decrypts it to use it for checking the conditions.\r\nConfiguration download URL: hxxps://status.devq[.]workers.dev/\r\nFigure 6. Encrypted condition\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 4 of 11\n\nFigure 7. Decrypted conditional string\r\nProcess Name\r\nDiscord.exe, discord.exe, NexonPlug.exe, nexonplug.exe, OP.GG.exe, op.gg.exe, qq.exe,\r\nline.exe, QQGuild.exe, qqguild.exe, QQProtect.exe, qqprotect.exe, TrafficPro.exe,\r\ntrafficpro.exe, WeChatAppEx.exe, wechatappex.exe, WeChatPlayer.exe, wechatplayer.exe,\r\nanydesk.exe, kakaotalk.exe, ldplayer.exe, logibolt.exe, obs64.exe, skype.exe, telegram.exe,\r\nwechat.exe, whale.exe\r\nTable 1. List of processes used as conditions\r\nThese strings are the names of programs that are likely to be installed in ordinary user PCs. Because VPN services\r\nare mainly used by users to have unrestricted Internet access in China, many Chinese messenger names are also\r\nincluded. When conditions match, the malware downloads an encrypted Sliver C2 from an external source and\r\ndecrypts it. Then it launches Notepad, a normal program, and injects Sliver C2 into this process.\r\nSliver C2 Download URL: hxxps://config.v6[.]army/sans.woff2\r\nFigure 8. Process tree\r\nSliver C2 is an open-source penetration testing tool published on GitHub. Penetration testing tools are used for the\r\npurpose of checking the security vulnerabilities within the network and systems of companies and institutes. They\r\ncan potentially be used for malicious purposes if placed in the hands of threat actors as they generally provide\r\nvarious features for each penetration testing stage. Major commercial penetration testing tools include Cobalt\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 5 of 11\n\nStrike and the open-source Metasploit. Recently, there have been multiple identified cases where Sliver C2 was\r\nused.\r\nInstead of SparkRAT which was previously used, the threat actor employed Sliver C2 in attacks. probably because\r\nSliver C2 supports more features than SparkRAT, a simple backdoor. Sliver C2 supports most features supported\r\nby the ordinary backdoor and RAT malware types such as process and file-related tasks, executing commands,\r\nuploading/downloading files, and capturing screenshots. It also provides various features needed for gaining\r\ncontrol over internal networks such as privilege escalation, process memory dump, and lateral movement.\r\nSliver C2 Name: PRETTY_BLADDER\r\nSliver C2 C\u0026C URL: hxxps://panda.sect[.]kr\r\nFigure 9. Sliver C2 settings data\r\n3. Analysis of Additional Malware\r\nWhile the malware strain used in the attacks was changed from SparkRAT to Sliver C2, the threat actor ultimately\r\nused the same MeshAgent in the end. Using Sliver C2 injected into notepad, the threat actor installed MeshAgent\r\nunder the “%PROGRAMFILES%\\Microsofts\\Microsofts\\preMicrosoft.exe” path.\r\nFigure 10. MeshAgent installation log\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 6 of 11\n\nProvided by MeshCentral, MeshAgent allows various system control commands such as command execution and\r\nfile download, as well as remote desktop features such as VNC and RDP. Ordinary users may use these services to\r\nremotely manage the system, but the features can also be used for malicious purposes. The threat actor in this case\r\nprobably used MeshAgent for remotely controlling the infected system.\r\nMeshAgent C\u0026C URL: speed.ableoil[.]net:443\r\nFigure 11. MeshAgent used for the attack\r\nThe threat actor installed Sliver C2 and MeshAgent to seize control over the infected system. Afterward, the\r\nattacker was able to perform various malicious behaviors such as exfiltrating user information saved in the PC or\r\ninstalling additional malware strains. According to the AhnLab Smart Defense (ASD) logs, the threat actor used\r\nMeshAgent to install an additional malware strain titled “m.exe”. The file “m.exe” is a malware type that captures\r\nwebcam feeds and is also available publicly on GitHub. Like other malware strains, it is developed in Go lang.\r\nUsing this malware type, the threat actor can capture images of the user in systems with webcam access.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 7 of 11\n\nFigure 12. Open-source webcam capturing malware used by the threat actor\r\n4. Installers Used in Attacks\r\nCurrently, most VPN and marketing program provider websites hold only normal setup files, but there are\r\ncompanies who have not yet fully taken appropriate measures. In the case of a particular VPN company, a normal\r\nsetup file is downloaded from the download link on the official website, but the website still contains a malicious\r\ninstaller that can be downloaded.\r\nFigure 13. Malware uploaded on the website of a certain VPN company\r\nThere are also malicious installers being distributed from the following software download site, which was found\r\nto be another website of the same program development company. The files are supposed to be font files, but they\r\nare actually malicious installers.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 8 of 11\n\nFigure 14. Website still containing downloadable malware strains\r\nThe above malware types are all signed with invalid certificates, stolen by the threat actor to disguise the files as\r\ninstallers. However, there are also multiple malware strains signed with a valid certificate from the appropriate\r\nprogram developer. Malware strains with valid signatures vary from malicious setup files disguised as those for\r\nvarious services, VPN execution files, and MeshAgent.\r\nTo summarize, while the specific circumstances are yet to be revealed, the threat actor is able to sign malware\r\nstrains with valid certificates from the corresponding program development company. There are multiple\r\nidentified malicious setup files disguised as being for various services provided by the said company.\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 9 of 11\n\nFigure 15. Malware signed with a valid signature\r\n5. Conclusion\r\nCurrently, a malware strain is being distributed through a certain program development company and there are\r\nmany identified samples that have been signed with a valid certificate from this company. Accordingly, the\r\nmalware may be distributed from other services provided by this developer. It has been confirmed that malware\r\nfiles are uploaded to the VPN company’s download page and the software download website.\r\nThe threat actor installed SparkRAT, Sliver C2, and MeshAgent which support features that allow the operator to\r\ncontrol infected systems. Accordingly, the threat actor was able to perform various malicious behaviors such as\r\nstealing user information saved in the PC and installing additional malware strains.\r\nWhen users download malicious installers from the website and proceed with the installation, the setup file not\r\nonly installs malware but also the normal setup file as well, making it difficult to recognize the system has been\r\ninfected with malware. Users must practice caution and update V3 to the latest version to prevent malware\r\ninfection in advance.\r\nFile Detection\r\n– Trojan/Win.MeshAgent.C5457071 (2023.07.18.03)\r\n– Trojan/Win.MeshAgent.C5459839 (2023.07.24.03)\r\n– Downloader/Win.Agent.C5459845 (2023.07.24.03)\r\n– Downloader/Win.Agent.C5459851 (2023.07.24.03)\r\n– Data/BIN.EncPe (2023.07.25.00)\r\nBehavior Detection\r\n– Persistence/MDP.RunKey.M1038\r\nMD5\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 10 of 11\n\n10298c1ddae73915eb904312d2c6007d\r\n1906bf1a2c96e49bd8eba29cf430435f\r\n23f72ee555afcd235c0c8639f282f3c6\r\n27a24461bd082ec60596abbad23e59f2\r\n499f0d42d5e7e121d9a751b3aac2e3f8\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//config[.]v6[.]army/sans[.]woff2\r\nhttps[:]//panda[.]sect[.]kr/\r\nhttps[:]//speed[.]ableoil[.]net/\r\nhttps[:]//status[.]devq[.]workers[.]dev/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/55652/\r\nhttps://asec.ahnlab.com/en/55652/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/55652/"
	],
	"report_names": [
		"55652"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6761d9a54acb3b85cb271bbc73c9e82fb302ecd.pdf",
		"text": "https://archive.orkl.eu/f6761d9a54acb3b85cb271bbc73c9e82fb302ecd.txt",
		"img": "https://archive.orkl.eu/f6761d9a54acb3b85cb271bbc73c9e82fb302ecd.jpg"
	}
}