Monday, May 5, 2025
HomeCyber Security NewsThreat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Threat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

In favor of similar frameworks less familiar to threat actors, threat actors are ditching Cobalt Strike penetration testing. There has been a surge of interest recently in an open-source, cross-platform kit called Sliver that has emerged after Brute Ratel.

By analyzing the toolkit, its operation, and its components, hunting queries can be used to detect malicious activity involving Sliver. A number of nation-state threat actors have been adopting and integrating the Sliver C2 framework into their intrusion campaigns.

The Migration from Cobalt Strike

It has become increasingly popular in recent years for various threat actors to use Cobalt Strike as an attack tool against various kinds of systems.

- Advertisement - Google News

By using this toolkit, defenses have learned to detect and stop attacks based on the information they collect. The reason for this is to avoid detection by EDR and antivirus solutions, which is why hackers are trying other options.

Threat actors have found alternatives to the Cobalt Strike as a result of the stronger defenses that have been deployed against it. They went and switched over to Brute Ratel, a tool that simulates adversarial attacks with the aim of evading security products.

Microsoft tracks the adoption of Sliver by one group as DEV-0237. FIN12, as well as several other ransomware operators, have been implicated in the gang’s activities.

Several ransomware operators have distributed malware payloads from the gang in the past, including the following:-

  • BazarLoader
  • TrickBot

Threat Hunting

Although the Sliver framework is regarded as a novel threat, there are ways to detect malicious activity originating from it as well as from stealthier threats that cannot be detected by no means.

In order to identify Sliver and other emerging C2 frameworks, Microsoft provides defenders with a set of TTPs which are able to be used to identify them.

Microsoft also disclosed that the non-customized C2 codebase, which contains the official and non-modified code for detecting Sliver payloads, is useful for detecting such payloads.

There are also commands that can be used for process injection that threat hunters can look for. This can be achieved by using the following commands:-

  • migrate (command) – migrate into a remote process
  • spawndll (command) – load and run a reflective DLL in a remote process
  • sideload (command) – load and run a shared object (shared library/DLL) in a remote process
  • msf-inject (command) – inject a Metasploit Framework payload into a process
  • execute-assembly (command) – load and run a .NET assembly in a child process
  • getsystem (command) – spawn a new Sliver session as the NT AUTHORITY\SYSTEM user

At the moment the detection rule sets and hunting guidance are publicly available. In the case of customized variants, there is a possibility that Microsoft’s searches will be impacted by the use of customized variants.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...