More threat actors have been leveraging the Sliver command-and-control framework as a Cobalt Strike and Metasploit alternative, reports The Hacker News. Developed by Bishop Fox, Sliver features various adversary simulation capabilities, including in-memory payload execution, dynamic code generation, and process injection, and has been leveraged in facilitating second-stage attacks in spear-phishing campaigns, a Cybereason report showed. Threat actors could use Sliver for privilege escalation prior to credential theft and lateral movement, and eventually data exfiltration activities, said the report. "Sliver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session. This session provides multiple methods to execute commands and other scripts or binaries," said Cybereason researchers Meroujan Antonyan and Loic Castel said. Some threat actors that have used Sliver include Russian cybercrime operation APT29, also known as CozyBear, and cybercrime operations Exotic Lily, also known as Projector Libra, and Shathak, also known as TA551.