Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator

This intelligence report details discovery and analysis of a small malicious infrastructure cluster using the Sliver C2 framework and Ligolo-ng for tunneling and pivoting: two HOSTKEY-hosted IPs (179.60.149.75 and 179.60.149.4) running Sliver and Ligolo-ng, a spoofed ycombinator.serveblog.net domain that redirects to the legitimate site, a Sliver ELF implant (SHA-256: c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84) observed contacting the C2 over HTTPS, and linking TLS certificate patterns (including 'localhost' and random organization fields) used to cluster related infrastructure; the report highlights detection challenges due to Sliver's configurability and notes prior use of Sliver in ransomware-related campaigns.