Sliver
Sliver is an open-source post-exploitation and command-and-control (C2) framework written in Go, commonly referred to as Sliver C2. It is used by both legitimate red teams and malicious actors, and has been observed in real intrusions and exposed adversary infrastructure. Reported capabilities include remote command execution via PowerShell or the Windows Command Shell, support for multiple C2 transports including HTTP/HTTPS, DNS, mTLS, and WireGuard, and cross-platform implant generation including Windows and macOS. The content also describes Sliver as compiling native Go implants and using a CLI over gRPC.
Across the provided reporting, Sliver implants and servers were identified on Windows, Linux, macOS, and Ubuntu-hosted C2 infrastructure. On macOS, default or poorly customized Sliver payloads were reported as readily detected by XProtect and commercial EDR products; one x86_64 implant was detected immediately by XProtect, and an arm64 implant with ad-hoc signing was later detected behaviorally by CrowdStrike Falcon. On Windows, analyzed samples included a 64-bit PE32+ GUI executable for x86-64, stripped to an external PDB, with SHA-256 44e38bf97ce3f5cc22886a54e1e7144e2c6fbdb9515b9a8f26f025ce3eac56e4, SHA-1 194c402c0d3bb285cc32eb4a6f23519081c8815e, and MD5 54129cad2a0de88cd94440e7663fdffb. Another reported Sliver backdoor sample had SHA-256 913487d5c4514300e1f774af965d046479f0a6612061bcb82b536c7427a49102.
The framework has been linked in the content to multiple threat activities. Trend Micro described a Windows campaign using malicious MSI installers and Fondue.exe side-loading of a rogue APPWIZ.cpl to deploy a Sliver implant, targeting government organizations, military personnel, and drone-related individuals. That implant communicated with curtainbeatdisturbance[.]com and created the mutex MediumTurquoiseBeige. Red Canary reported a 2025 intrusion where attackers used Quick Assist and a QEMU VM containing Sliver implants named 1HTTPS.EXE and 2MTLS.EXE; VMRay confirmed them as Sliver beacons communicating with marnyonline[.]com and 45[.]61[.]169[.]127:8443. Shodan-observed certificate details on 45[.]61[.]169[.]127 were consistent with a Sliver team server. Red Canary also observed Sliver used on compromised cloud Linux servers following exploitation of CVE-2023-46604 in Apache ActiveMQ, alongside Cloudflare Tunnels for covert long-term C2.
The content further associates Sliver with campaigns and operators including TA551, at least two 2022 campaigns observed by Team Cymru, and pro-Ukrainian hacktivist activity linked with 4BID and related groups. In that latter reporting, Sliver payloads were delivered after Exchange ProxyShell exploitation via SFX archives such as upd.exe, winhost.exe, update1.exe, update.exe, and akolo.exe, with installation components including install.bat, WinSW, servicechecker.bat, backupagnt.exe, and a Donut-generated loader in WindowsInternal.UpdateComponent.dll encrypted with XOR key 0x0F. All Sliver samples in that research were configured to communicate with 185.221.153[.]121 over mTLS.
Infrastructure-focused reporting repeatedly identified exposed Sliver implants or C2 servers. Examples include an open directory at 172.86.122.4 containing malicious DLLs and Sliver implants; a live Sliver C2 server exposed on port 9443 within a larger phishing and cloaking infrastructure; and open directories on 213.136.80[.]73 tied to a Sliver-integrated Linux deployment pipeline that used Sliver beacons to distribute stock Chisel binaries, establish reverse SOCKS5 tunnels, and persist as xsync. Additional reporting noted TLS fingerprints on some HTTPS-enabled hosts that resembled Sliver C2 infrastructure.
High-confidence indicators mentioned in the content include: 45[.]61[.]169[.]127, 185.221.153[.]121, 172.86.122.4, marnyonline[.]com, curtainbeatdisturbance[.]com, mutex MediumTurquoiseBeige, sample names 1HTTPS.EXE and 2MTLS.EXE, and the hashes listed above. Overall, the content consistently characterizes Sliver as a flexible, cross-platform open-source post-exploitation framework that is increasingly used in the wild for foothold establishment, remote command execution, persistence, and covert C2.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
21 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Анализ атакованных инфраструктур показал, что в большинстве случаев злоумышленники получали первоначальный доступ путем эксплуатации уязвимости Exchange, а именно — ProxyShell, которая позволяет полностью скомпрометировать сервер. | Все обнаруженные экземпляры Sliver в рамках этого исследования были сконфигурированы для общения с С2 185.221.153[.]121 по протоколу mTLS.
The March 2026 record on port 8080 was more substantial: 79 files across 13 subdirectories totaling 4 MB. Key contents included a pwnkit/ directory with CVE-2021-4034 (834 KB across 7 files), a TLS certificate and private key pair for C2 authentication, and a Python HTTP C2 script. A complete staging directory confirming the operator pursues privilege escalation on compromised hosts.
React2Shell in Russia: ... In some cases, the final payloads were the Kaiji and Rustobot botnets and the Sliver implant.
More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE 2024-0012 is an authentication bypass vulnerability affecting unpatched versions of Palo Alto Networks Next-Generation Firewalls. | Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux.
Palo Alto firewalls likely exploited via the newly disclosed CVEs would commonly utilize the Sliver C2 platform for external communication. An open-source alternative to Cobalt Strike, this framework has been increasingly popular among threat actors, enabling the generation of dynamic payloads (“slivers”) for multiple platforms, including Windows, MacOS, Linux. | More recently, at the end of November, Darktrace analysts observed a spike in exploitation and post-exploitation activity affecting, once again, Palo Alto firewall devices in the days following the disclosure of the CVE 2024-0012 and CVE-2024-9474 vulnerabilities. ... CVE-2024-9474 is a privilege escalation vulnerability that allows a PAN-OS administrator with access to the management web interface to execute root-level commands, granting full control over the affected device.
Check Point researchers said the tool is being discussed on underground forums, where hackers are exchanging instructions on how to deploy it against three Citrix NetScaler flaws disclosed last week: CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424. The most critical of these, CVE-2025-7775, allows unauthenticated remote code execution.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
In another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
“KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…” | On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. | “KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor. It then decrypts this payload… and injects it directly into memory as shellcode…”
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
Figure 3: Upgrade Netcat Connection to Sliver Implant ... Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials.
KrustyLoader, which is typically used for dropping Sliver backdoors.
"On some machines, the attackers deployed Sliver framework, an implant that provided them with full remote control of compromised systems."
“we found… backdoors… starting with the Sliver implant… Both download Sliver implants, and both connected back to the same server…”
In versions 1.5.43 and earlier, the netstack does not limit traffic between Wireguard clients... https://hngnh.com/posts/Sliver-CVE-2025-27093/
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell.
The appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer... The applet loading results in the deployment of a Sliver post-exploitation framework implant within the Fondue.exe memory.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike. ... Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.
The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.
UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
6 techniques
Execution
To maintain persistence, the malicious applet creates a scheduled task in Windows Task Scheduler that runs every minute.
The initial MSI installer drops a PowerShell script, a VBS helper file, and a .NET loader, which work together to download and execute the next-stage payload.
Sliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
На практике для обхода XProtect хватает двух: шифрование строк (характерные user-agent, URL-паттерны) и пересборка из исходников с рефакторингом структуры бинаря
Обход: кастомный HTTP-профиль с jitter 30–50%, мимикрия под легитимный SaaS-трафик (Slack API, Teams webhooks)
Threat actors are actively abusing Fondue.exe, a legitimate Microsoft utility built into the Windows operating system, to side-load a malicious control panel file named APPWIZ.cpl.
A separate diagnostic script rounds out the toolkit. It selects five active beacons at random and runs a shell command on each to verify the presence of Chisel binaries at known drop paths, confirm a Chisel process is running, check available disk space, test reachability of port 9000 on the C2, and confirm persistence artifacts are still in place.
Defense Impairment
1 technique
Defense Impairment
Discovery
6 techniques
Discovery
Executes the shell “ ifconfig ” command. The expect routine looks for a string containing “+” as an indication of success.
Executes the shell “ whoami ” command. The expect routine looks for a string containing “Logon ID:” as an indication of success.
Executes the shell “ netstat ” command. The expect routine checks for a string containing the word “Protocol” as an indication of success.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
A separate diagnostic script rounds out the toolkit. It selects five active beacons at random and runs a shell command on each to verify the presence of Chisel binaries at known drop paths, confirm a Chisel process is running, check available disk space, test reachability of port 9000 on the C2, and confirm persistence artifacts are still in place.
Collection
2 techniques
Collection
Command and Control
9 techniques
Command and Control
В MITRE ATT&CK скрытые каналы покрывают сразу несколько тактик: ... Protocol Impersonation (T1001.003 ...). ... HTTP covert channels (T1001.003 ..., T1572) работают на другом уровне: вместо эксплуатации разрешённого протокола они мимикрируют под конкретные легитимные сервисы.
Member-only story Sliver C2 Implant Analysis ... I will analyse a sample of Sliver ... while scanning my adversaries’ infrastructure.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
It supports several protocols for C2 including HTTP, WireGuard, and DNS... Mythic is an open source post-exploitation framework... and supports multiple protocols for C2 including TCP, HTTPM, DNS, and SMB.
The deployer scripts are methodical. They load the Sliver C2 client configuration, filter for Linux implants that have checked in within the last ten minutes, and then assign each one a dedicated SMTP proxy port.
Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999.
generate --mtls hosthere --save /home/kali/implants/sliver-init --skip-symbols --os linux ... The script hosts the sliver-expect script, accessible at http://<host>/sliver-expect , with a timeout of 300 seconds (5 minutes) to retrieve the payload.
Once loaded into the memory space of Fondue.exe, the rogue control panel file deploys a Sliver post-exploitation framework implant. Sliver is an open-source adversary simulation tool that gives attackers a powerful foothold on the infected machine, allowing them to issue remote commands and move through compromised networks with ease.
IOCs tracked for this family
152 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
173 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source post-exploitation implant used to establish a foothold, execute remote commands, communicate with C2 infrastructure, and support movement through compromised networks.
Referenced as another known post-exploitation framework for comparison with AdaptixC2.
A backdoor found on an Interlock staging server.
Post-exploitation framework loaded in memory by a custom loader chain involving SFX archives, WinSW persistence, backupagnt.exe, and a Donut-generated DLL loader. Configured for mTLS C2 communications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.