More nation-state threat actors have been leveraging the Sliver command-and-control framework in place of Cobalt Strike in their cyberattacks, according to The Hacker News
Improved defenses against the popular Cobalt Strike attack tool have prompted hackers to migrate to the lesser-known Sliver, a Go-based open source C2 platform with custom implant generation and user-developed extension support, and enable stealthier and more persistent campaigns, said Microsoft researchers.
DEV-0237, also known as FIN12, has been one of the most prolific users of the Sliver framework, which could also facilitate the delivery of stagers that would then prompt backdoor execution on systems that have been compromised.
Other threat actors have also been integrating Sliver and other post-exploitation software within the Bumblebee loader, also known as COLDTRAIN, added researchers.
"Sliver and many other C2 frameworks are yet another example of how threat actors are continually attempting to evade automated security detections," said Microsoft.