Releasing EPIC [Extensible Position Independent Code] – toolkit for C/C shellcode building 🔥 github.com/Print3M/epic - Modularity (!) - Dead-code & payload size optimization - Global context - Minimal PIC-friendly libc & win32 included - More... #redteam #malware #security

I just wanted to flex that I will be speaking at @x33fcon in two days. Keep scrolling...

i don't want TO CREATE A FUCKING MICROSOFT ACCOUNT TO SETUP WINDOWS!!!!!!!!

Awesome real-life RedTeam infrastructure overview by @0XDbgMan 🔥🔥🔥 Juicy. 0xdbgman.github.io/posts/red…

### Top-Line Findings 1. **The C2 ecosystem is far less diverse than it appears.** While there are 30 "different" frameworks, the underlying technique implementations converge on a small number of canonical code patterns, many traceable to specific open-source authors or blog posts. 2. **Three source projects account for the majority of reused code:** - **TrustedSec's COFFLoader** — the ancestor of nearly every open-source BOF loader - **PowerSploit** (by @harmj0y, @mattifestation, @obscuresec) — Get-Keystrokes, Invoke-Mimikatz, PowerView, and persistence modules are shipped verbatim by Empire, PoshC2, PowerHub, Amnesiac, and Shad0w - **Kevin Robertson's Invoke-WMIExec/Invoke-SMBExec** — the dominant PowerShell implementations for WMI and SMB lateral movement, bundled by Empire, PoshC2, PowerHub, and SilentTrinity 3. **A single detection rule can catch multiple frameworks.** Because many C2s share identical implementation code: - One detection for the PowerSploit `Get-Keystrokes` GetAsyncKeyState polling loop catches Empire, PoshC2, and any framework that bundles PowerSploit - One detection for the TrustedSec COFFLoader relocation pattern catches Apollo, Loki, Sliver (extension), and derivatives - One detection for the .NET `ManagementScope` WMI pattern catches Apollo, Covenant, NimboC2, SilentTrinity, and DeimoC2 4. **Genuinely novel frameworks are rare.** Of the 30 analyzed: - **4 frameworks** (Sliver, Havoc, Realm, TripleCross) demonstrate significant code originality - **6 frameworks** show moderate originality (Wyrm, AdaptixC2, Emp3r0r, Merlin, NimPlant, GC2) - **20 frameworks** rely heavily on shared code from the three source projects above, or implement techniques using the same well-known recipes 5. **HTTP C2 communications show the most behavioral convergence.** Three jitter formula families, shared User-Agent strings (the IE11 UA appears in Empire, Nuages, and Covenant), and common URL path patterns create fingerprinting opportunities.

Demo:

Direct link: cse.google.com/cse?cx=5386f5…

Highly recommend this summary. Not only because there's my research included... but mostly;)))))

Good lord, Signal is down...

we told claude code sonnet 4.5 to rewrite our entire typescript repository in go it ran for 29 hours results below:

I took as an example NppConverter.dll but it works exactly the same way for mimeTools.dll and NppExport.dll (the "CVE" one).

"The Renaissance of NTLM Relay Attacks: Everything You Need to Know" by @elad_shamir (@SpecterOps) 🔥 One of the best overview of NTLM relay technique I've ever seen. (and the styling is is an art in itself!) #redteam #security #infosec #windows specterops.io/wp-content/upl…

Fire.