Security Experts:

Connect with us

Hi, what are you looking for?



After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal

The cybercriminal group tracked as TA551 recently showed a significant change in tactics with the addition of the open-source pentest tool Sliver to its arsenal, according to cybersecurity firm Proofpoint.

The cybercriminal group tracked as TA551 recently showed a significant change in tactics with the addition of the open-source pentest tool Sliver to its arsenal, according to cybersecurity firm Proofpoint.

Also referred to as Shathak, TA551 is an initial access broker known for the distribution of malware through thread hijacking – a technique where the adversary gains access to compromised email accounts or stolen messages to make contact with its victims.

Previously, the cybercrime group was observed delivering malware such as Emotet, IcedID, Qbot, and Ursnif, as well as providing ransomware operators with access to the compromised systems.

Earlier this week, Proofpoint noticed that the adversary started sending out emails that pretended to be replies to previous conversations and which contained as attachments password-protected, archived Word documents.

These attachments, Proofpoint says, ultimately led to the deployment of the Sliver framework, an open-source red teaming tool for adversary simulation. The tool, developed by offensive security assessment firm Bishop Fox, provides command and control (C&C) functionality, process injection and information harvesting capabilities, and more, and is available for free.

According to Brad Duncan, security researcher and handler at the SANS Institute’s Internet Storm Center, just as Proofpoint raised the alarm on TA551’s shift in tactics, Sliver-based malware started being delivered as part of a malicious email campaign he has been tracking for months.

Named “Stolen Images Evidence”, the campaign employs emails generated via contact form submissions on various websites, “describing a copyright violation to the intended victim,” Duncan explains. A Google-based URL included in the message body claims to offer proof of stolen images leading to that violation.

A zip archive that contains a JavaScript file is delivered to the victim’s web browser, aiming to deliver malware such as BazarLoader, Gozi/ISFB/Ursnif, and IcedID (Bokbot). Starting Wednesday, October 20, Sliver-based malware is being employed, Duncan says.

The adoption of Sliver by cybercriminals comes just a few months after government agencies in the U.S. and the U.K. warned that Russian state-sponsored cyberspy group APT29 (aka the Dukes, Cozy Bear and Yttrium) added the pentest framework to their arsenal.

The move, however, is not surprising, as security researchers have long warned of the blurred line between nation-state and cybercriminal activities, with each side adopting tactics from the other, to better hide their tracks, or engaging in both types of operations.

According to Proofpoint, the use of red teaming tools among cybercriminals is becoming increasingly popular, with Cobalt Strike registering a 161% surge in threat actor use between 2019 and 2020. Cybercriminals are also using offensive frameworks such as Lemon Tree and Veil.

“TA551’s use of Sliver demonstrates considerable actor flexibility. […] With Sliver, TA551 actors can gain direct access and interact with victims immediately, with more direct capabilities for execution, persistence, and lateral movement. This potentially removes the reliance on secondary access,” Proofpoint notes.

Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal

Related: Ransomware Attacks Linked to Chinese Cyberspies

Related: Cyberspies Delivered Malware to Gamers via Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.