Nation-state threat actors are increasingly adopting and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike.
"Given Cobalt Strike's popularity as an attack tool, defenses against it have also improved over time," Microsoft security experts said. "Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry."
Sliver, first made public in late 2019 by cybersecurity company BishopFox, is a Go-based open source C2 platform that supports user-developed extensions, custom implant generation, and other commandeering options.
"A C2 framework usually includes a server that accepts connections from implants on a compromised system, and a client application that allows the C2 operators to interact with the implants and launch malicious commands," Microsoft said.
Besides facilitating long-term access to infected hosts, the cross-platform kit is also known to deliver stagers, which are payloads primarily intended to retrieve and launch a fully-featured backdoor on compromised systems.
Included among its users is a prolific ransomware-as-service (RaaS) affiliate tracked as DEV-0237 (aka cybercrime groups increasingly adopting sliver command control framework
