A First Look at a New Post-Exploitation Red Team Tool

June 9, 2026, 8:57 a.m.

Description

A new post-exploitation red team tool named Splinter has been discovered on customer systems through Advanced WildFire's memory scanning capabilities. Developed in Rust programming language, Splinter is exceptionally large at around 7MB due to statically linked libraries. The tool uses a JSON configuration structure containing implant ID, C2 server details, and operational parameters. It operates through a task-based model with capabilities including Windows command execution, remote process injection, file upload/download, cloud service information gathering, and self-deletion. Communication with the C2 server occurs via HTTPS using specific URL paths for task synchronization, heartbeat connections, and file transfers. While not as sophisticated as Cobalt Strike, Splinter represents a growing variety of penetration testing tools that could potentially be misused by threat actors.

External References

https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/?pdf=print&lg=en&_wpnonce=e975e137ff
https://otx.alienvault.com/pulse/6a27af63e5b642f7307b0f6e
Tags
rust
post-exploitation
c2-communication
splinter
2026-06-09
penetration-testing
process-injection
red-team-tool
task-based

Date

  • Created: June 9, 2026, 6:14 a.m.
  • Published: June 9, 2026, 6:14 a.m.
  • Modified: June 9, 2026, 8:57 a.m.

Indicators

  • 1962cef10cf737300d04a23139122abcc8e8803e54dfcb63054140fbe549bed0
Download all indicators here!

Attack Patterns

  • Splinter