We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/Sliver.D
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
Sliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.
Public reporting identified initial early campaigns in 2021 leveraging the Sliver framework, beginning with Russian state-sponsored threat actors incorporating Sliver into WellMess and WellMail malware campaigns. Later in 2021, Sliver was identified in intrusions facilitated by threat groups like TA551 (which Microsoft tracks under DEV-0365) and DEV-0249, both of which are distributors of first stage phishing payloads that often lead to human-operated ransomware intrusions. The prolific ransomware as service (RaaS) affiliate DEV-0237 also incorporated Sliver into intrusions beginning in 2021. As a result, Microsoft assesses that the framework has become an attractive option among threat actors for its lack of upfront cost, customization possibilities, and the relatively low technical skills needed to adopt and use it.
Microsoft Defender Experts have recently published analysis of the C2 framework along with advanced hunting queries and methodology that can help to surface Sliver and other C2 frameworks. Microsoft detections for Sliver implants and related activity include ALF:Trojan:Win32/Sliver.A,ALF:Trojan:Win32/SliverServer.A, and VirTool:Win64/Splinter.A. Organizations can also protect themselves from ransomware-related attacks by turning on Attack Surface Reduction rules.
