Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver

Security analysts at AhnLab Security Emergency Response Center have detected a new hacking campaign that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver. Sliver is an alternative to Cobalt Strike created by Bishop Fox and has been used by malicious actors for some time. It can be used to open reverse shells on compromised devices, install payloads, and execute commands with kernel-level privileges. The campaign was targeting two 2022 vulnerabilities in Sunlogin, a remote control software developed by Chinese developers. The attackers used PoC exploits available on the internet to exploit these vulnerabilities. The malicious code was loaded into memory and a portable executable was decoded. Mhyprot2DrvControl, an open-source tool, was used to gain access to the Windows kernel privileges and terminate security processes. Powercat was then downloaded from an external source and a reverse shell was created to connect to the C2 server. In some cases, the Sliver implant was installed on the system. Microsoft has recommended a few mitigations to protect against these attacks.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 08 Feb 2023 07:43:02 +0000


Cyber News related to Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver

Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
2 years ago Heimdalsecurity.com
PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
1 year ago Bleepingcomputer.com
Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News - Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded ...
7 months ago Therecord.media
International Operation Takes Down 593 Malicious Cobalt Strike Servers - Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals. Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by ...
1 year ago Cybersecuritynews.com
Cybercriminals Take Advantage of Weaknesses in Sunlogin to Install Sliver Command and Control System - Cybercriminals are taking advantage of known weaknesses in Sunlogin software to deploy the Sliver command-and-control framework for post-exploitation activities. This was discovered by AhnLab Security Emergency response Center, which found that ...
2 years ago Thehackernews.com
Identifying Misuse of Cobalt Strike Systems - Google Cloud recently identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect them. The goal is to make it harder for malicious actors to abuse the tool. IronNet believes that a proactive approach to Cobalt Strike server ...
2 years ago Ironnet.com
Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver - Security analysts at AhnLab Security Emergency Response Center have detected a new hacking campaign that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver. Sliver is an alternative ...
2 years ago Cybersecuritynews.com
Sliver Framework Customized to Boost Evasion & Bypass EDR Detections - When tested against Elastic EDR and Windows Defender, these customized Sliver implants successfully evaded detection both on disk and in memory, demonstrating how minor modifications to open-source offensive tools can significantly challenge modern ...
6 months ago Cybersecuritynews.com Cloak
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals - European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said ...
1 year ago Securityweek.com
Chinese State-Sponsored Hackers Attacking Semiconductor Industry with Weaponized Cobalt Strike - A sophisticated Chinese state-sponsored cyber espionage campaign has emerged targeting Taiwan’s critical semiconductor industry, employing weaponized Cobalt Strike beacons and advanced social engineering tactics. The campaign represents a ...
2 months ago Cybersecuritynews.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
1 year ago Infosecurity-magazine.com
Hackers Abuse Cobalt Strike, SQLMap & Other Tools to Target Organizations' Web Applications - These attacks specifically utilize Cobalt Strike, a legitimate adversary simulation tool designed for security professionals, and SQLMap, an open-source utility that automates the detection and exploitation of SQL injection vulnerabilities. The ...
6 months ago Cybersecuritynews.com
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com CVE-2023-27350 BianLian
Threat Actors Turn To SLIVER As Open Source Malware Toolkit - A new open source malware toolkit, called SLIVER, is being used by threat actors to create and spread malicious programs. SLIVER is a modularized, open-source malware framework that allows users to easily build and deploy malicious Visual Basic ...
2 years ago Thehackernews.com
Nitrogen Ransomware Actors Attacking Organization With Cobalt Strike & Erases Log Data - The discovered Cobalt Strike watermark 678358251 has been previously associated with multiple threat actors, including the Black Basta ransomware group, highlighting how attack tools are frequently reused across different criminal operations. Their ...
5 months ago Cybersecuritynews.com Black Basta
Illegal Access to Windows Computers Through Silver and Bring Your Own Device Vulnerabilities - A recent hacking campaign has been exploiting vulnerabilities in Sunlogin, a remote-control software, to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. ...
2 years ago Bleepingcomputer.com
Threat Actors Exploiting Ivanti Connect Secure Vulnerabilities to Deploy Cobalt Strike Beacon - The ongoing attacks demonstrate advanced persistent threat techniques, deploying multiple malware families including MDifyLoader, Cobalt Strike Beacon, vshell, and Fscan to establish long-term access to compromised networks. Following initial ...
2 months ago Cybersecuritynews.com CVE-2025-0282
SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups - File Indicators of Compromise (IoCs) SHA-1FilenameDetectionDescriptionF5B60A8EAD96703080E73A1F79C3E70FF44DF271spinstall0.aspxMSIL/Webshell.JSWebshell deployed via SharePoint vulnerabilities Network Indicators of Compromise (IoCs) IP ...
2 months ago Cybersecuritynews.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Water Curupira Hackers Launch Pikabot Malware Attack Windows - Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown. The surge in Pikabot phishing campaigns was noted recently ...
1 year ago Gbhackers.com Black Basta
Sliver C2 Server Vulnerability Let Attackers Open a TCP connection to Read Traffic - A critical server-side request forgery (SSRF) vulnerability (CVE-2025-27090) has been identified in the Sliver C2 framework’s teamserver implementation, enabling attackers to establish unauthorized TCP connections through vulnerable servers. ...
7 months ago Cybersecuritynews.com CVE-2025-27090
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
1 year ago Thedfirreport.com
CVE-2022-39197 - An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike ...
3 years ago
New Hacker Group Uses SQL Injection to Hack Companies - A new threat actor has been discovered to be using SQL injection attacks to gain unauthorized access to organizations in the APAC region. Among the 20, the threat actor successfully infiltrated six organizations with the legacy SQL injection attack. ...
1 year ago Cybersecuritynews.com
Researchers Uncovered SuperShell Payloads & Multiple Tools From Hacker’s Open Directories - The Cobalt Strike beacon, found in a file named ‘test’, utilized different infrastructure than the SuperShell components, connecting to a server disguised with a certificate claiming to represent “jquery.com” with organization ...
5 months ago Cybersecuritynews.com

Cyber Trends (last 7 days)