A Beacon Object File (BOF) that performs the complete ESC1 attack chain in a single execution: certificate request with arbitrary SAN (+SID), PKINIT authentication, and NT hash extraction via UnPAC-the-hash.

1. The lineage: IRC → HTTP/HTTPS → DGA & P2P → fast-flux → cloud/“legit” platforms → blockchain contracts.
2. Why on-chain C2 matters: immutable contracts, pseudonymous wallets, and payload retrieval over public RPC.
3. Trade-offs: resilience vs latency, and how transparency enables forensics even as takedowns get harder.
4. Practical detection: block JSON-RPC egress to public providers, use TLS/JARM and beacon-timing patterns, and watch for DNS tunneling.

Just another C2 Redirector using CloudFlare. Support multiple C2 and multiple domains. Support for websocket listener.

A PoC implementation of an enahnced version of StackMoonwalk, which combines its original technique to remove the caller from the call stack, with a memory self-encryption routine, using ROP to both desynchronize unwinding from control flow and simultaneously encrypt the executing shellcode to hide it from inpection.

A Burp Suite extension for real-time sharing of HTTP traffic between team members with user-based highlighting.

This document outlines the results of a pentest and whitebox security review conducted against a number of Tor Project items. Test Targets: Network Metrics, Visualization Stack, Relay & Network Health Tools, Exit Relay Scanning, Bandwidth Measurement, Tor Core Code Changes

Explore zero-click exploits — stealthy, interactionless chains that evade defenses. Case studies reveal patch gaps and the need for stronger validation.

A tool that provides a web interface to easily perform GitHub Device Code phishing on red team engagements.

Beacon Object File for Cobalt Strike that executes .NET assemblies in beacon with evasion techniques.

Boflink is a tool designed to act as a sort of fill-in for the missing linking stage that comes with the BOF development process. It is a linker that takes unmodified object files generated by a compiler and links them together into a Beacon Object File capable of being loaded by a BOF loader.

Its main goal is to act as a bridge between the BOF development and the BOF loading process to help simplify them.

GhostLocker: AppLocker-Based EDR Neutralization
Introduction
After my article on Fairy-Law, where I used kernel mitigations to disable Endpoint Detection & Response (EDR) solutions, diversenok pointed out that IFEO exclusions (Image File Execution Options) were too invasive for third-party applications. This led to a better approach: leveraging the inherent power administrators already possess through AppLocker.

The concept was inspired by diversenok, who highlighted that administrators can legitimately control any software on their systems. From that insight, I developed a technique using AppLocker as a native Windows control mechanism. This research explores the technical implementation of AppLocker for EDR control, comparing it with WDAC and presenting a practical proof-of-concept tool.

Automated All-in-One OS Command Injection Exploitation Tool.
Usage examples