A new campaign, dubbed Stolen Images Evidence, has been discovered using a red-teaming toolkit and adversary simulation framework named Sliver to target its victims. A threat group identified as TA551 is believed to be behind the recent campaign.

What has happened?

TA551 group, active since 2016, is known for abusing compromised email accounts or stolen messages in their attacks. However, a shift from its earlier tactics has been observed as it has now started using this red teaming tool.
  • In this campaign, the group sends malicious emails—carrying password-protected archive attachments—that purported to reply to earlier conversations.
  • The email claims to be accusing the victim of a so-called copyright violation. A Google-based URL found in the message body supposedly offers proof of stolen images leading to a copyright violation.
  • The attachment is a zip archive, including a JavaScript file that usually delivers Gozi/ISFB/Ursnif, BazarLoader, and IcedID.

About the Sliver tool

Sliver, developed by the cybersecurity company named Bishop Fox, is an open-source adversary simulation tool.
  • It can be used as a C2 center that enables information harvesting and process injection.
  • Additionally, this tool allows attackers to gain direct access and interact with victims quickly. Sliver features multiple capabilities such as persistence, lateral movement, and execution.
  • Experts revealed that the attackers have been using this technique since October 20.

More actors use red team tools

According to Proofpoint, the use of red teaming tools among cybercriminals is becoming normal, as Cobalt Strike registered a massive 161% increase in threat actors between 2019 and 2020.
  • Additionally, the use of other offensive frameworks (Lemon Tree and Veil) has witnessed a surge.
  • According to a report published in May, APT29 was also seen using the Sliver pentest framework.


The use of open-source pentest tools such as Sliver is becoming more popular among cybercriminals. TA551 and APT29 are just a few known threat actors using the Sliver framework and this trend may be followed by others as well.

Cyware Publisher