Ivan Spiridonov

Mythic C2 on EarlyBird. Leveraging Asynchronous Procedure Calls to execute memory-only shellcode within a legitimate process to avoid detection. A post by Ivan Spiridonov (@xbz0n) Source: xbz0n.sh/blog/mythic-c2… #redteam #blueteam #maldev #malwaredevelopment

#threatreport #LowCompleteness Mythic C2 with EarlyBird Injection and Defender Evasion | 29-06-2025 Source: xbz0n.sh/blog/mythic-c2… Key details below ↓ 💀Threats: Mythic_c2, Earlybird_injection_technique, Cobalt_strike_tool, Domain_fronting_technique, Apollo, Process_injection_technique, Credential_harvesting_technique, Antidebugging_technique, Polymorphism_technique, 🤖LLM extracted TTPs:` T1001.003, T1003, T1027, T1027.005, T1036.004, T1036.005, T1055.002, T1055.012, T1055.019, T1071.001, ... 🧨IOCs: - File: 20 - Path: 1 💽Software: Nginx, WordPress, Ubuntu, sudo, Docker, curl, Windows Error Reporting, Windows Defender 🔢Algorithms: prng, xor, exhibit 🔠Functions: decrypt, Execute, GetEmbeddedPayload, AdvancedPayloadLoader, Run, main, Get-MpComputerStatus 🗂️Win API: CreateProcessW, VirtualAllocEx, WriteProcessMemory, QueueUserAPC, ResumeThread 📜Programming Languages: php #threatreport: The article discusses the intricacies of constructing effective command and control (C2) infrastructure, specifically highlighting the Mythic C2 framework and the EarlyBird injection method to achieve stealth during red team operations. It critiques the simplistic approach often taken by red teamers who rely on basic setups like Cobalt Strike, emphasizing that modern security teams can quickly identify and neutralize such obvious threats. The core of this C2 infrastructure centers on using HTTP/HTTPS redirectors to obscure the actual C2 server from direct exposure to the internet. This is accomplished through a direct Nginx proxy configuration, where genuine web traffic conceals C2 communications. By leveraging legitimate content, encrypted traffic, and valid certificates, the setup aims to present a façade of normalcy to detection systems. The system routes all communications through a decoy site, which is designed to look legitimate and serve as a cover for the C2 traffic, minimizing the chances of detection. Central to the operation is the EarlyBird injection technique, which enhances the stealth capacity of the payload. This method exploits the Windows process creation workflow by creating processes in a suspended state, allowing for memory allocation and injection without triggering immediate alerts. This timing allows code execution during the process's initialization phase, before most security monitors can activate. The article provides a detailed view of how the loader interacts with system processes, specifically how it targets legitimate processes like WerFault.exe for injection, masking its malicious nature while maintaining operational capability. It also discusses the importance of using real domain names and SSL certificates in the setup, adding layers of obfuscation that make detection exceedingly challenging for blue teams. By ensuring that all communications resemble legitimate traffic patterns, the risk of exposure is significantly lowered. For instance, payloads are disguised as benign file types, such as font downloads, further embedding malicious activity within ordinary Internet behavior. The infrastructure's resilience is enhanced by implementing fallback strategies and ensuring that should one part of the system fail, others can maintain functionality. This involves automatic payload rotation and increasingly sophisticated obfuscation techniques to agitate static and dynamic analysis tools. The article emphasizes the necessity of adopting a defense-oriented mindset to anticipate and mitigate detection tactics used by modern endpoint security solutions.

Mythic C2 with redirectors & EarlyBird injection beats Windows 11’s Defender - signature & behavior. Dive in: xbz0n.sh/blog/mythic-c2… #RedTeaming #C2Infrastructure #C2

ADCS misconfigs are an attacker’s dream. My new post covers every major ADCS attack (ESC1-16) with code from real pen tests and GOAD lab, privilege escalation & persistence made easy. xbz0n.sh/blog/adcs-comp… #ActiveDirectory #RedTeaming #ADCS

Months of hard work, sleepless nights, and deep dives into exploit dev, web app source code review, and advanced evasion techniques - worth it. 💪 Thanks @offsectraining #OSCE3 #RedTeam #OffSec #TryHarder #OSED #OSEP #OSWE

VirtualProtect DEP Bypass: Step-By-Step Exploit xbz0n.sh/blog/virtualpr…

@5mukx Thanks for sharing @5mukx ! :)

C2 Redirectors: Advanced Infrastructure for Modern Red Team Operations. xbz0n.sh/blog/c2-redire… TLDR: The blog is about setting up and using different types of C2 redirectors. #c2 #Infrastructure #redirectors

From no creds to Enterprise Admin: my new post shows how AD misconfigs can be chained for total domain control. No exploits needed. xbz0n.sh/blog/from-zero… #RedTeaming #PenTesting

Officially #OSED certified! I've conquered the Windows User Mode Exploit Development exam and earned the Offensive Security Exploit Developer (OSED) certification. Huge thanks to @offsectraining! #ExploitDev #ReverseEngineering #TryHarder

Thrilled to announce I've achieved the Offensive Security Certified Expert 3 (OSCE³)! This marks the culmination of a challenging and rewarding journey that started 3 years. Thanks @offsectraining. #OSCE3 #OSEP #OSWE #OSED #OffensiveSecurity #TryHarder #ExploitDevelopment

XSS is more than alerts. My new post shows how simple reflected XSS leads to account takeover & data exfiltration. xbz0n.sh/blog/XSS-to-Ac… #XSS #BugBounty #RedTeaming

Uncovering a 0-Click RCE in the SuperNote Nomad E-ink Tablet by @_stigward prizmlabs.io/post/remote-ro…

How do you meaningfully improve the security of your AD environment? Run these free tools quarterly: - PingCastle - ScriptSentry - Locksmith - ADeleginator If you just ran these tools and fixed everything identified by them, your AD environment will not only be more secure, but you’ll sleep better at night.

DEP blocks shellcode execution—VirtualProtect can unlock it. My new guide breaks down bypassing DEP in Windows for red team ops. xbz0n.sh/blog/virtualpr… #Cybersecurity #RedTeam

No C2 backbone in your red team op? Tightrope, no net. My new article digs into C2 layers & how I use Nginx to bounce HTTP/HTTPS traffic on the sly. Keeps it tough to crack. xbz0n.sh/blog/c2-redire… #C2 #RedTeam

New blog: Master Windows shellcode—launch calc, decode PIC & dynamic resolution. Windows internals exposed! Perfect for #ExploitDev #OSED #Shellcode fans. Read: rb.gy/4gmff3

My maldev works and practices [Oct 2024]: + Remote Process Injection using NTAPI: github.com/Whitecat18/Rus… + Code injection using (NtCreateSection,NtMapViewOfSection) : github.com/Whitecat18/Rus… + Payload Shuffling Technique: github.com/Whitecat18/Rus… + Local Mapping Injection: github.com/Whitecat18/Rus… + Enable Token Access: github.com/Whitecat18/Rus… + Module Extractor: github.com/Whitecat18/Rus… + DLL Injector [Added Features++]: github.com/Whitecat18/Rus… + PPID Spoofing: github.com/Whitecat18/Rus… + Code injection using CreateMutex: github.com/Whitecat18/Rus… + EDRChecker: github.com/Whitecat18/Rus… [Oct 2024] For More Codes: For More Codes: github.com/Whitecat18/Rus… #maldev #EDR #redteaming #Program #shellcode #evasion #pwn #testing #tools #LearnAndGrow

Intro to Windows kernel exploitation Part 1: mdanilor.github.io/posts/hevd-0/ Part 2: mdanilor.github.io/posts/hevd-1/ Part 3: mdanilor.github.io/posts/hevd-2/ Part 4: mdanilor.github.io/posts/hevd-3/ Part 5: mdanilor.github.io/posts/hevd-4/ #windows #cybersecurity

Beginners intro to x64 Linux Binary Exploitation (@Ch0pin) Basic: valsamaras.medium.com/introduction-t… Return into lib: valsamaras.medium.com/introduction-t… RoP Chains: valsamaras.medium.com/introduction-t… Stack Canaries: valsamaras.medium.com/introduction-t… ASLR: valsamaras.medium.com/introduction-t… #exploit #infosec