#Sliver

Open-source C2 framework by BishopFox, increasingly abused as a Cobalt Strike alternative


#Sliver

Open-source C2 framework abused as Cobalt Strike alternative

IOCs by window

Today

0

IOCs tagged #Sliver

Week

0

IOCs tagged #Sliver

Month

4

IOCs tagged #Sliver

Year

1,809

IOCs tagged #Sliver

Counts as of 2026-04-29. Regenerated daily.

About #Sliver

  • Type: open-source cross-platform C2 framework written in Go, maintained by BishopFox. Supports HTTP(S), DNS, mTLS and WireGuard transports, multi-operator collaboration, dynamic shellcode generation and stagers comparable to Cobalt Strike.
  • Abuse pattern: increasingly used in real-world intrusions as a Cobalt Strike alternative, both by APTs (e.g., APT29-aligned tooling) and ransomware affiliates. Free + open-source nature lowers the barrier to entry.
  • Detection signals: default mTLS certificates, distinctive Go-compiled implant artefacts, JA3 / JA4 fingerprints for HTTPS listeners, DNS C2 patterns when DNS transport is used, and YARA on Go runtime + symbol patterns.
  • References: MITRE ATT&CK S1056 · BishopFox/sliver on GitHub.

Recent IOCs tagged #Sliver

Latest 4 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/sliver.

Date Type Value Source
Apr 22, 07:16 url https://urlhaus.abuse.ch/host/83.142.209.13/ @BlinkzSec
Apr 22, 07:16 ip 83.142.209.13 @BlinkzSec
Apr 22, 07:16 sha256 35204d0ba3485eb4f0f8104a218e71526d152679f97e65ac878ffb2552f4... @BlinkzSec
Apr 22, 07:16 sha256 b0e328a131e4d679e9b268552db99ca2d46051b9205a67f9b7f7c1628983... @BlinkzSec

Past-month volume is low; the year aggregate (1,809) reflects historical activity. For a longer window, query api.tweetfeed.live/v1/year/sliver.

Related tags

Tags that frequently co-occur with #Sliver.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Sliver?

Sliver is an open-source cross-platform C2 framework written in Go and maintained by BishopFox. It supports HTTP(S), DNS, mTLS and WireGuard transports, multi-operator collaboration, dynamic shellcode generation and stagers - capabilities comparable to commercial frameworks like Cobalt Strike. MITRE ATT&CK tracks it as S1056.

Is Sliver legitimate or malicious?

Sliver is a legitimate red-team tool and open-source security research framework. The IOCs on this page reflect real-world intrusions where researchers observed Sliver implants or listeners being used against production targets - often by APT-aligned actors or ransomware affiliates - not the upstream tool itself. Vendor licensing is not asserted; the IOCs are observed-in-the-wild, not pre-emptive blocklists.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Sliver-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Sliver subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Sliver IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).