Building an Encrypted C2 Implant Using QUIC

Building an Encrypted C2 Implant Using QUIC

R.B.C (g3tsyst3m) builds crudeRAT: a minimal Python C2 implant using QUIC (RFC 9000) as its transport. Starting from an unprivileged shell, the QUIC channel delivers TLS 1.3 encryption from the first packet, UDP-based transport that evades TCP-centric monitoring, bidirectional file transfer with tqdm progress bars, and shellcode execution via the EnumSystemLocalesW Windows API callback pattern. The article covers both server and implant code, the file transfer state machines, ALPN selection for operational engagements, and known limitations.

Windows Sandbox .wsb HostFolder NTLM Leak: A New UNC Coercion Primitive for Initial Access

Windows Sandbox is supposed to be the safe place to open untrusted files — but the .wsb configuration file is parsed by the host long before the guest boots. The UNCagedSandbox research by 0xHossam shows that a MappedFolder whose HostFolder points to a UNC path coerces the host into authenticating over SMB, leaking NetNTLMv2 to an attacker. Networking=Disable and ReadOnly=true do not stop it. Here is how the primitive works, what triggers it, and how to detect and defend against it.