Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Sliver

118
Global rank
59 infographic chevron month
Month rank
65 infographic chevron week
Week rank
0
IOCs

Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.

C2 Framework
Type
Unknown
Origin
3 June, 2019
First seen
20 March, 2025
Last seen

How to analyze Sliver with ANY.RUN

C2 Framework
Type
Unknown
Origin
3 June, 2019
First seen
20 March, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 180
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 250
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 2782
comments 0

What is Sliver malware?

Sliver is an open-source command-and-control framework designed for adversary emulation and red teaming. First released in 2019 by Bishop Fox, it has been adopted by both security professionals and threat actors.

Malicious users leverage Sliver to establish control over compromised systems, facilitating activities such as data exfiltration, lateral movement, and deployment of additional malware.

Its distribution methods include phishing emails, malicious documents, drive-by downloads, and exploitation of vulnerabilities.

Key technical features encompass cross-platform compatibility, support for multiple communication protocols, and capabilities like process injection and token manipulation.

To see how Sliver operates inside a secure environment, you can use tools such as ANY.RUN’s sandbox.

Sliver C2 in ANY.RUN sandbox Sliver analyzed inside ANY.RUN sandbox

One of the standout features of Sliver C2 is its accessibility. Being open-source, it's easy to download and set up, with compatibility across major operating systems like MacOS, Windows, and Linux. This cross-platform nature ensures that users can implement Sliver C2 in a variety of environments.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Sliver malware technical details

Sliver malware generates implants, commonly referred to as ‘slivers’, which consist of malicious code designed for remote control of compromised devices.

When a sliver is successfully deployed on a target system, it facilitates a communication channel with the central C2 server. This connection is crucial, as it enables the operator to send commands and receive data from the compromised device.

Sliver C2 supports various protocols for managing these connections, including Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS.

Sliver’s primary functionalities include:

  • Creating malicious payloads tailored to specific operating systems, which are then delivered through various vectors such as phishing emails or malicious documents.
  • Once the target executes the payload, it establishes a connection back to the Sliver C2 server, granting the attacker control over the compromised system.
  • Communicates with the C2 server at predetermined intervals using encrypted channels, aiding in evading detection.
  • Performs post-exploitation activities, such as privilege escalation, establishing persistence mechanisms, lateral movement within the network, and credential harvesting.
  • Uses techniques such as log deletion, obfuscation. The use of memory-only payloads are employed to minimize forensic evidence and hinder detection.
  • May close the C2 connection, leave backdoors for future access, or pivot to new targets to repeat the attack cycle.

Sliver malware execution process

To see how Sliver operates, let’s upload its sample to the ANY.RUN sandbox.

The execution chain of Sliver typically follows these steps: Initial access vector involves payload generation by creating a malicious payload for the target OS, delivered via phishing, malicious documents, drive-by downloads, or vulnerability exploitation.

Payload execution occurs when the target runs the payload, establishing a foothold and connecting back to the Sliver C2 server.

Command and Control (C2) begins with the infected machine beaconing to the C2 server at set intervals, using encrypted channels to avoid detection.

Sliver Suricata in ANY.RUN sandbox Suricata rule triggered by Sliver inside ANY.RUN’s sandbox

Post-exploitation activities include privilege escalation using built-in or custom tools, persistence through registry modifications or scheduled tasks, lateral movement within the network, and credential harvesting.

Data collection and exfiltration involve identifying valuable data and transmitting it back to the attacker's infrastructure, often encrypted.

Covering tracks includes log deletion and anti-forensics techniques like obfuscation and memory-only payloads. The termination or pivoting phase involves closing the C2 connection or leaving backdoors for future access and potentially pivoting to new targets to repeat the execution chain.

Sliver malware distribution methods

Attackers distribute Sliver through various methods, including:

  • Phishing emails: Sending emails with malicious attachments or links that, when opened, execute the Sliver payload.
  • Malicious documents: Embedding macros or exploits within documents that, upon execution, deploy Sliver.
  • Drive-by downloads: Compromising websites to automatically download and execute Sliver when visited.

Gathering threat intelligence on Sliver malware

To obtain up-to-date intelligence on Sliver, utilize the Threat Intelligence Lookup service.

This platform gives you access to an extensive database enriched with data from countless malware analysis sessions executed in the ANY.RUN sandbox. With over 40 customizable search parameters at your disposal, you can efficiently uncover important information on various threats, including details such as IP addresses, domains, file names, and process artifacts.

Sliver TI Lookup in ANY.RUN sandbox TI Lookup reveals key threat context related to Sliver C2

For instance, to retrieve intelligence on Sliver, you can either search for its specific threat name or utilize related artifacts. By creating a query like threatName:"sliver" and destinationIP:"", the TI Lookup will provide you with all relevant samples and sandbox analyses associated with this particular malware.

Get a 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Sliver’s open-source nature and cross-platform compatibility further enhance its appeal to threat actors. To defend against such threats, it’s crucial to integrate advanced analysis tools that can proactively identify and mitigate suspicious activities.

ANY.RUN is an interactive malware analysis sandbox that enables real-time examination of suspicious files and URLs. Its user-friendly interface and comprehensive analysis capabilities allow security professionals to dissect malware behavior, understand its impact, and develop effective countermeasures.

Sign up for a free account with ANY.RUN to stay ahead of emerging threats like Sliver

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More