Software

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]

Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]

SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]

Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. [1]

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.[1]

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[1][2][3]

SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.[1][2]

Spark is a Windows backdoor and has been in use since as early as 2017.[1]

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [1]

Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.[1]

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]

SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.[1]

SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

SpyDealer is Android malware that exfiltrates sensitive data from Android devices. [1]

SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. [1]

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]

SslMM is a full-featured backdoor used by Naikon that has multiple variants. [1]

StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. [1]

Starloader is a loader component that has been observed loading Felismus and associated tools. [1]

StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.[1][2]