Cybersecurity researchers have sounded the alarm over the emergence of a newly developed post-exploitation tool, dubbed Splinter, actively circulating in the wild.
The discovery came from Palo Alto Networks’ Unit 42 team, which identified Splinter on the systems of several clients during their investigations.
“This tool bears the hallmark features typically seen in penetration testing tools, but what’s noteworthy is that its creator built it using the Rust programming language,” noted Dominik Reichel from Unit 42. “While Splinter may not match the sophistication of more renowned post-exploitation frameworks such as Cobalt Strike, it nonetheless poses a significant risk to organizations when leveraged maliciously.”
Penetration testing tools are widely employed in red team exercises to identify security flaws within an organization’s network infrastructure. However, these same tools, if turned malevolent, can be co-opted by cybercriminals to their advantage.
Despite its detection on client systems, Unit 42 has not yet linked Splinter to any known threat actor activity. Furthermore, the origins of the tool remain shrouded in mystery, with no concrete information regarding its developer.
Among the most distinctive traits uncovered by Unit 42’s research is the “massive size” of the Splinter artifacts, which weigh in at approximately 7 MB. This bulk can largely be attributed to the inclusion of 61 Rust crates within its architecture.
Like many other post-exploitation frameworks, Splinter employs a configuration file that stores details about its command-and-control (C2) server. The tool parses this data to establish a secure connection to the server using HTTPS.
“Splinter’s implants operate using a task-based framework, a characteristic feature of post-exploitation systems,” explained Reichel. “It receives instructions from the C2 server designated by the attacker.”
Some of the tool’s functionalities include executing Windows commands, performing remote process injections, uploading and downloading files, harvesting cloud account credentials, and even self-deleting from compromised systems.
“The growing diversity of such tools highlights the critical need for continuous updates in defensive and detection strategies, as cybercriminals are always keen to adopt new methods that improve their ability to compromise targets,” added Reichel.
This revelation comes hot on the heels of another report by cybersecurity firm Deep Instinct, which recently disclosed two novel attack techniques designed to facilitate stealthy code injection and privilege escalation. The methods exploit Microsoft Office’s RPC interface and an insidious use of a malicious shim.
“We applied the malicious shim to a process without registering an SDB file on the system,” explained researchers Ron Ben-Yizhak and David Shandalov. “This allowed us to sidestep endpoint detection and response (EDR) by injecting a target DLL into a child process before any EDR hooks could be established.”
Back in July 2024, security researchers at Check Point spotlighted a new process injection technique they’ve coined Thread Name-Calling. This method leverages an API for thread descriptions to embed shellcode into an active process, all while eluding endpoint protection measures.
“As new APIs become available within the Windows environment, they open up fresh possibilities for novel injection tactics,” explained Aleksandra “Hasherezade” Doniec, a leading security researcher. “Thread Name-Calling utilizes some of these newer APIs, but it can’t completely escape the need to incorporate older, well-known components such as APC injections. These are APIs that should always be viewed with suspicion due to their potential for abuse. Similarly, tampering with access rights in a remote process remains a concerning indicator of malicious activity.”