Keypoints
- Sliver is a cross-platform command-and-control framework developed by Bishop Fox for adversary emulation and red teaming.
- Both criminal groups and nation-state actors have adopted Sliver as a stealthy alternative to tools like Cobalt Strike.
- Sliver’s capabilities include encrypted communications, modular payloads, and flexible deployment options that complicate detection.
- Threat actors have used Sliver in supply chain compromises and to deploy ransomware families such as Play and BlackCat.
- Ligolo-ng is a preferred tunneling tool for penetration testers that provides easy, cross-platform access to internal networks.
- Analysts identified specific infrastructure—IP addresses and a domain—linked to Sliver and Ligolo-ng operations, plus a suspicious ELF file named “cloud.”
- Operators use TLS certificates and port configuration choices to obscure their infrastructure and mimic legitimate traffic.
MITRE Techniques
- [T1071] Application Layer Protocol – Sliver uses multiple C2 domains and protocols to maintain communications with compromised systems (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1195] Supply Chain Compromise – Actors have leveraged trusted vendors or supply-chain vectors to distribute Sliver-based tooling (‘Involves compromising a trusted software vendor to distribute malicious software.’)
- [T1219] Remote Services – Tools like Sliver and Ligolo-ng provide remote access and tunneling into internal networks (‘Uses tools like Sliver and Ligolo-ng for remote access to internal networks.’)
- [T1003] Credential Dumping – Operators attempt to extract credentials from systems to escalate and move laterally (‘Attempts to gather credentials from compromised systems to facilitate further access.’)
Indicators of Compromise
- [IP Address] C2/infrastructure – 179.60.149[.]75, 179.60.149[.]4
- [Domain] Hostname used in campaigns – ycombinator.serveblog[.]net
- [File Name] Malicious ELF implant – cloud
- [File Hash] Confirmed malicious binary – c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84
————
Sliver has become a go-to C2 framework for both red teams and malicious operators because it combines cross-platform compatibility, encrypted communications, and a modular payload architecture that adapts to different operational needs. Its flexibility and ability to blend into legitimate network traffic make detection difficult, and defenders have seen it repurposed beyond testing into real-world supply-chain intrusions and ransomware deployments such as Play and BlackCat.
Complementing Sliver, Ligolo-ng provides a lightweight, cross-platform tunneling capability that attackers and testers alike use to pivot into internal networks securely. The analysis highlights how operators lean on TLS certificates and non-standard port configurations to hide C2 endpoints and traffic patterns, further complicating network-based detections.
The research also maps concrete infrastructure tied to these operations: two IPs, a domain associated with campaign hosting, and an ELF file named “cloud” flagged as a Sliver implant, with the listed file hash available for detection and hunting. Together, these details give defenders actionable IOCs and underscore the importance of telemetry that can spot encrypted, protocol-mimicking C2 behaviors.
————
Read more: https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc – get from article