Evasion through traffic simulation
- Added "msrpc-azure" and an easy-to-use MIME type (yin+xml, vnd.fly, application/javascript) and headers from IIS 10.0/ASP.NET/IBM_HTTP_Server. It disguises itself as an enterprise stack (Azure AD, legacy WebDAV, NETCONF).
- jQuery v3.4.1 + jQuery UI v1.12.1 add/do not add is a powerful tool for disguising responses as legal JS libraries. As for EDR/proksi, they are focused on a "C2-like" tracker.
- URIs like /compare/v1.44/VXK7P0GBE8 and /Build/v1.85/JDX894ZM2WF1 — (version + token).
- Metadata/identifier from the cookie (SESSIONID_...=) and parameters (_KZZUEUVN=).
Data obfuscation
- mask + 64url base/netbiosu — double/triple streamlining. Netbiosu (upper case) case-sensitive.
Process-input-stage
- virtual resource allocator + HeapAlloc for BOF.
- startrwx/userwx is "false" — simulates RWX signatures (EDR as a defender levitates on this).
- bof_reuse_memory "true" + min_alloc 16384 — writes part of the data.
- NOP/junk conversions (with the addition of "\x90\x90" in x86, "long list" in x64) — textual code zeroing.
- the initial stage of the "false" check is another OPSEC that does not contain a payload on C2 (reduces the scanning speed of the server).
Sleep и jitter
- waiting time of 30,000 ms (30 sec) + 33% jitter — automatically (selects the detector on "fast C2").
OPSEC
- channel name "Winsock2\CatalogChangeListener-####-0" — custom that runs system channels (Windows Winsock).
- user agent "<RAND>" — random in IE style
- ssh_banner Ubuntu + castom pipe — password for SSH post-ex (evasion in Linux/hybrid environment).
- tasks_max_remote_size 2 MB — issues an OPSEC warning about large payloads.
- create_remote_thread/hijack_remote_thread "true" — avoiding intercepting the stream.
- https-certificate - Azure-mimic (CN "*.azureedge.net ") — to bypass TLS.
https://github.com/cfs0x/Evasion-Profiles
- Added "msrpc-azure" and an easy-to-use MIME type (yin+xml, vnd.fly, application/javascript) and headers from IIS 10.0/ASP.NET/IBM_HTTP_Server. It disguises itself as an enterprise stack (Azure AD, legacy WebDAV, NETCONF).
- jQuery v3.4.1 + jQuery UI v1.12.1 add/do not add is a powerful tool for disguising responses as legal JS libraries. As for EDR/proksi, they are focused on a "C2-like" tracker.
- URIs like /compare/v1.44/VXK7P0GBE8 and /Build/v1.85/JDX894ZM2WF1 — (version + token).
- Metadata/identifier from the cookie (SESSIONID_...=) and parameters (_KZZUEUVN=).
Data obfuscation
- mask + 64url base/netbiosu — double/triple streamlining. Netbiosu (upper case) case-sensitive.
Process-input-stage
- virtual resource allocator + HeapAlloc for BOF.
- startrwx/userwx is "false" — simulates RWX signatures (EDR as a defender levitates on this).
- bof_reuse_memory "true" + min_alloc 16384 — writes part of the data.
- NOP/junk conversions (with the addition of "\x90\x90" in x86, "long list" in x64) — textual code zeroing.
- the initial stage of the "false" check is another OPSEC that does not contain a payload on C2 (reduces the scanning speed of the server).
Sleep и jitter
- waiting time of 30,000 ms (30 sec) + 33% jitter — automatically (selects the detector on "fast C2").
OPSEC
- channel name "Winsock2\CatalogChangeListener-####-0" — custom that runs system channels (Windows Winsock).
- user agent "<RAND>" — random in IE style
- ssh_banner Ubuntu + castom pipe — password for SSH post-ex (evasion in Linux/hybrid environment).
- tasks_max_remote_size 2 MB — issues an OPSEC warning about large payloads.
- create_remote_thread/hijack_remote_thread "true" — avoiding intercepting the stream.
- https-certificate - Azure-mimic (CN "*.azureedge.net ") — to bypass TLS.
https://github.com/cfs0x/Evasion-Profiles
Microsoft
ASP.NET Core, an open-source web development framework | .NET
Build web apps and services that run on Windows, Linux, and macOS using C#, HTML, CSS, and JavaScript. Get started for free on Windows, Linux, or macOS.
Prices for CFS CRYPT data plans are dynamic and may change depending on the current infrastructure load, target audience, and market conditions.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175💵 1st file,
- 250💵 2 file,
- 350💵 3 file,
- 450💵 4 file,
- 550💵 week unlimited.
- 3k💵 Month unlimited.
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175
- 250
- 350
- 450
- 550
- 3k
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
We provide firm guarantees that you get exactly what you pay for, in full and on time.
Please open Telegram to view this post
VIEW IN TELEGRAM
# Arsenal Kit 20251122
e5e99066e154b623526c7620ea226c99bf68371d9d9ef4597c404c701e6a06f3 arsenal-kit20251122.tgz November 2025 - Cobalt Strike 4.12
-------------
+ Added drip-loader support.
Added drip-loading in beacon for memory allocation/process inject.
Added drip-loading in the reflective loader.
Changed ALLOCATED_MEMORY_* structures (USER_DATA.version 4.12 requires updated structures - breaking change for sleepmask).
Added UDC2 beacons for User Defined Command and Control (UDC2).
Added task IDs to associate task/command input and retrieved output in logs.
Added results from File Browser list files (ls) and Process Browser list processes (ps) to beacon logs.
Process Injection Overhaul
Added injection techniques in the client.
Added PROCESS_INJECT_EXPLICIT_USER and PROCESS_INJECT_SPAWN_USER aggressor hooks for adding user-defined injections to the UI.
+ Added REST API server [BETA]
Introduced a new REST API server designed to run alongside the team server, providing access to Cobalt Strike functionality via REST.
Enhanced the team server to add task tracking to support task/response relationships through the REST API.
Enabled centralized artifact management through the REST API.
Added SOCKS5 IPv6 support which is limited to TCP.
BOF Improvements
Added an API for BeaconDownload.
Updated to use Dynamic Import which removes the limits on the number of Beacon Object File Imports.
+ Updated pivot beacons (SMB and TCP) to use overlapped IO for named pipes/sockets (breaking change with previous versions).
Updated and simplified the sleepmask entry point.
+ GUI Overhaul
Switched look and feel from Synthetica to FlatLNF.
Added new look and feel themes.
Replaced various product icons.
Replaced "colorPanel" aggressor function with "colorMenu".
Updated beacon session list external column link/unlink text symbol to an icon.
Updated File Browser tree to wait until previous click completes loading before accepting another click (double-loading).
Added labels to pivot graph links.
Updated SSH beacon to work on newer Linux distros.
Added new UAC bypasses.
Added "beacon_info" command to list beacon memory information.
Updated beacon cleanup and exit procedures.
Fixed help for "beacon_config".
Fixed issue preventing BEACON_RDLL_GENERATE_LOCAL hook from firing.
Fixed issue with tasks larger than Task Max Size to crash beacon.
Updated java dependencies from Java 11 to Java 17.
- Removed support for the StompLoader.
The classic C++ shellcode loader for Windows, written to maximize the bypass of antiviruses and sandboxes (including Microsoft Defender, EDR systems like CrowdStrike, SentinelOne, etc.).
this is code that takes prepared shellcode (small machine code — payload), places it in memory and executes it without creating a new thread and without explicitly calling CreateThread/QueueUserAPC to be as quiet as possible. a tool for converting PE files (EXE/DLL) into position-independent shellcode https://github.com/CBLabresearch/Clematis
this is code that takes prepared shellcode (small machine code — payload), places it in memory and executes it without creating a new thread and without explicitly calling CreateThread/QueueUserAPC to be as quiet as possible. a tool for converting PE files (EXE/DLL) into position-independent shellcode https://github.com/CBLabresearch/Clematis
GitHub
GitHub - CBLabresearch/Clematis: PE to shellcode
PE to shellcode. Contribute to CBLabresearch/Clematis development by creating an account on GitHub.
EV CODE x GlobalSign x SSL EV CODE will be available. Cloud + .pfx Signing.
🆕 EV CodeSign by GlobalSign .pfx + cloud (1 year);
EV CodeSign by SSL.com .pfx + cloud
(1 year);
Verifies the publisher's identity (EU Companies);
Rent Week Signing:
Now the price for a weekly plan is 700💵
EV Certificate included in the price!✅
https://telegra.ph/EV-Code-Signing-Cloud-02-19
EV CodeSign by SSL.com .pfx + cloud
(1 year);
Verifies the publisher's identity (EU Companies);
Rent Week Signing:
Now the price for a weekly plan is 700
EV Certificate included in the price!
https://telegra.ph/EV-Code-Signing-Cloud-02-19
Please open Telegram to view this post
VIEW IN TELEGRAM
Telegraph
EV Code Signing (Cloud)
Full transfer of all data from the registrant’s personal account and emails. Full drop + certificate NL BV / DUNS / CA Account / HSM Access (AWS/AZURE) Signature - Signtool / osslsigncode in CI/CD ➡️All certificates are new, valid for 1 year, sold per person…
Prices for CFS CRYPT data plans are dynamic and may change depending on the current infrastructure load, target audience, and market conditions.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175💵 1st file,
- 250💵 2 file,
- 350💵 3 file,
- 450💵 4 file,
- 550💵 week unlimited.
- 3k💵 Month unlimited.
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175
- 250
- 350
- 450
- 550
- 3k
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
We provide firm guarantees that you get exactly what you pay for, in full and on time.
Please open Telegram to view this post
VIEW IN TELEGRAM
https://github.com/cfs0x/CFSKiller
The vulnerability is activated through the IOCTL 0x22201C code with a 1036 byte buffer, where the first 4 bytes contain the target process identifier in DWORD format. The vulnerable driver, having received this malicious IOCTL through DeviceIoControl, calls the imported function ZwTerminateProcess, providing any application in user mode with the ability to terminate processes at the kernel level.
The vulnerability is activated through the IOCTL 0x22201C code with a 1036 byte buffer, where the first 4 bytes contain the target process identifier in DWORD format. The vulnerable driver, having received this malicious IOCTL through DeviceIoControl, calls the imported function ZwTerminateProcess, providing any application in user mode with the ability to terminate processes at the kernel level.
GitHub
GitHub - cfs0x/CFSKiller: av/edr killer
av/edr killer. Contribute to cfs0x/CFSKiller development by creating an account on GitHub.
Cobalt Strike-CDN/Reverse Proxy Setup
https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
TLDR; This blog post explain the usage of Content Delivery Networks can be used in conjunction with a C2-domain and Nginx as a reverse proxy in the context of Cobalt Strike for C2 communications.
https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
TLDR; This blog post explain the usage of Content Delivery Networks can be used in conjunction with a C2-domain and Nginx as a reverse proxy in the context of Cobalt Strike for C2 communications.
RedOps - English
Cobalt Strike - CDN / Reverse Proxy Setup - RedOps
EV CODE x GlobalSign x SSL EV CODE will be available. Cloud + .pfx Signing.
EV CodeSign our token remote* - 3k💵
(1 year);
EV CodeSign your token - 2k💵
(1 year);
EV CodeSign by GlobalSign .pfx - 3k💵
(1 year);
EV CodeSign by SSL.com .pfx + cloud - 2k💵 (1 year);
EV CodeSign by SSL.com cloud - 1.5k💵
(1 year);
The cost of a full transfer is 4.5k💵
2k💵 are offered for remote access 24/7 + GitHub Actions
Appeared on sale OV CODE SIGNING IN CLOUD ( DigiCert OV / GlobalSign OV )
Price : 350💵
Verifies the publisher's identity (EU Companies);
You can use the OV certificate to sign drivers, but with significant restrictions, for Windows (Windows 10, 11 and later).
Your [Malware] code signing bypass:
AV / EDR / Smartscreen / Chrome alert
- 400💵 1st file,
- 300💵 2nd file,
AV + Smartscreen
- 250💵 each sign
Our [Loader / Dropper] Rent week
loader 450💵
Rent Week Signing:
Now the price for a weekly plan is1500 - 750💵
EV Certificate included in the price!✅
EV CodeSign our token remote* - 3k
(1 year);
EV CodeSign your token - 2k
(1 year);
EV CodeSign by GlobalSign .pfx - 3k
(1 year);
EV CodeSign by SSL.com .pfx + cloud - 2k
EV CodeSign by SSL.com cloud - 1.5k
(1 year);
The cost of a full transfer is 4.5k
2k
Appeared on sale OV CODE SIGNING IN CLOUD ( DigiCert OV / GlobalSign OV )
Price : 350
Verifies the publisher's identity (EU Companies);
You can use the OV certificate to sign drivers, but with significant restrictions, for Windows (Windows 10, 11 and later).
Your [Malware] code signing bypass:
AV / EDR / Smartscreen / Chrome alert
- 400
- 300
AV + Smartscreen
- 250
Our [Loader / Dropper] Rent week
loader 450
Rent Week Signing:
Now the price for a weekly plan is
EV Certificate included in the price!
Please open Telegram to view this post
VIEW IN TELEGRAM
Media is too big
VIEW IN TELEGRAM
you can already buy from us
🔥🔥🔥 Shellter Elite v11.2 (license only)
https://www.shellterproject.com/homepage/.
Price 3k$
🔥🔥🔥 Shellter Elite v11.2 (license only)
https://www.shellterproject.com/homepage/.
Price 3k$