VirusTotal Stealer is a DATA Exfiltration tool that exfitrate office documents and tunnel them over VirusTotal API to the Team Server

Hunt for C2 servers and phishing web sites using VirusTotal API , you can modify code to kill the malicious process

Documents Exfiltration project for fun and educational purposes

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

This repository focuses on replicating the behavioral patterns observed in well-documented APT campaigns.

Another approach of Threadless injection discovered by @_EthicalChaos_ in c that loads a module into the target process and stomps it, and reverting back memory protections and original memory state

Dropping a powershell script at %HOMEPATH%\Documents\WindowsPowershell\ , that contains the implant's path , and whenever powershell process is created, the implant will be executed too.

Patching AmsiOpenSession by forcing an error branching

different ntdll unhooking techniques : unhooking ntdll from disk, from KnownDlls, from suspended process, from remote server (fileless)

Github as C2 Demonstration , free API = free C2 Infrastructure

Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime

Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads

Encypting the Heap while sleeping by hooking and modifying Sleep with our own sleep that encrypts the heap

A keystroke logger targeting the Remote Desktop Protocol (RDP) related processes, It utilizes a low-level keyboard input hook, allowing it to record keystrokes in certain contexts (like in mstsc.ex…

Shellcode Loader with Indirect Dynamic syscall Implementation , shellcode in MAC format, API resolving from PEB, Syscall calll and syscall instruction address resolving at run time

This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Loader (Winhttp, socket)

Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table

Set the process mitigation policy for loading only Microsoft Modules , and block any userland 3rd party modules

Block any Process to open HANDLE to your process , only SYTEM is allowed to open handle to your process ,with that you can avoid remote memory scanners

PE obfuscator with Evasion in mind

Improved version of EKKO by @5pider that Encrypts only Image Sections