A practical walkthrough of using Ghidra and x32dbg to disassemble a Cobalt Strike beacon shellcode, identify the PUSH/CALL EBP hash-then-dispatch pattern, resolve API hashes such as “0x726774c” (LoadLibraryA), “0xa779563a” (InternetOpenA) and “0xc69f8957” (InternetConnectA), recognise ROR13 as the hashing algorithm, and extract the C2 IP “195.211.98[.]91” from the decoded calls. Original rewrite of Matthew’s tutorial on embeeresearch.io with all 56 original screenshots preserved.
Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.
Fox-IT (NCC Group) details RemotePE, a North-Korean Lazarus in-memory RAT delivered through a three-stage chain — DPAPILoader (environmentally-keyed first-stage), RemotePELoader (HellsGate / ETW-patched HTTP beacon) and RemotePE itself, which never touches disk. The writeup walks AES-GCM C2, MSZIP-compressed command batches, the IConsole / IFileExplorer / IProcess command surface, infrastructure, MITRE ATT&CK mapping, and a full IOC set spanning July 2023 — May 2026.
SYLK is an ancient spreadsheet format, but Excel still supports it. GhostWolf Lab shows how .slk files can carry XLM macros, masquerade as CSV, bypass weak detections, and revive legacy macro abuse.
GhostTree abuses NTFS junctions to create recursive, near-endless valid paths. Recursive scanners and EDRs can hang in the maze while malware in the parent folder remains unchecked. Watch junction creation.
A trojanized HWMonitor archive abuses DLL sideloading with malicious CRYPTBASE.dll to launch multi-stage in-memory loaders and deploy STX RAT.
A practical look at DLL sideloading and proxying: how attackers abuse trusted Windows executables to load malicious DLLs while keeping the app running normally.
A trojanized CPU-Z package installs malware through CRYPTBASE.dll sideloading. The Zig-compiled DLL decodes an embedded payload, loads a reflective backdoor, connects to C2, and establishes persistence using PowerShell, COM hijacking, and scheduled tasks.
This tutorial shows how to weaponize Adaptix C2 agents using ShellcodePack and MacroPack, converting payloads into shellcode and packaging them in evasive loaders to improve stealth and bypass EDR during red-team operations.
COMouflage is a stealthy Windows injection technique that abuses COM DLL Surrogates to execute malicious DLLs inside dllhost.exe, making svchost.exe appear as the parent process and hiding the attacker’s process from detection.
