🔥 Introducing RustPack 🔥 . RustPack is an evasive Packer/Loader, that is capable of bypassing common AV/EDR vendors. It accepts user-provided known malicious input payloads, such as shellcode, C# assemblies or portable executables (PE). Those inputs are encrypted, and

Creating COM hijacking payloads has never been easier than with RustPack! With COM Hijacking, you can persist on a target system by 'living' in trusted user processes, such as the Chrome browser. You only need to bring one DLL. When the user opens Chrome, for example, a C2

What do you want to know?.

Rumour has it that Jonas Lykkegaard's self-delete technique doesn't work on Windows 11 anymore. Well, the original proof of concept (PoC) does not, but slight modifications bring this technique back to Win11!😎. With #RustPack, you can easily generate self-deleting executables or

And yes, out custom Ruy-Lopez technique even works perfectly fine for e.G. DLLs that are run via rundll32.exe. Same works for sideloading DLLs, and so on. 😎

The Ruy-Lopez technique sometimes helps a lot with evasion. The technique was published and open sourced by our founder @Shitsecure two years ago. In #RustPack version 1.3.1 we added a custom, non-public version of this technique that is much more OPSec safe than the public

#RustPack version 1.3.0 has been released today. This version includes (again) minor changes to the final payload metadata to remove various potential IoCs. 🔥🔥 . For example, most packers use some kind of string based encoding to reduce entropy, such as the well-known UUID,

In one of our previous videos we demonstrated how to generate sideloading binaries by cloning the exports of an existing DLL to forward them - . However, using Microsoft DLLs and Microsoft-signed binaries is not the best OPsec, as it's easy for EDR

#RustPack Version 1.2.0 is now released for our customers. The biggest change was to add full DInvoke support for all payloads. The import table now won't show the Windows APIs being used anymore, instead by default random non malicious imports are added in here to make payloads

How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable

The next version of #RustPack will not expose any of it's used imports anymore 🔥🔥🔥. Instead, there will be random friendly looking imports for each payload. Only if the operators really want to they can still go for zero imports. Just because it's possible.🙂

The simplest use case for #RustPack: Packing shellcode into an unsigned executable. RustPack is an Windows executable, which can be used offline. It takes the input file (in this case Havoc shellcode) and builds an executable output format, which will decrypt and execute the

🔥🔥The first new #RustPack version 1.1 was just sent to our customers. 🔥🔥.________________________.Changes include:.- A killdate can now be set, after that date payloads won't fire anymore.- The operator can specify the host binary, in which the payload will fire. It will only

Bonus: This of course also works for generated DLL files. So you can run the interactive Powershell from within rundll32.exe or any sideloading binary of your choice with a console. This get's you around e.G. Applocker restrictions.🤠

Another super handy feature for Pentesters is the interactive Powershell. Whenever you have a project where you have interactive access to a desktop environment, you may want to stick to the offensive Powershell tooling. In this case, #RustPack can generate an executable for you

One more cool thing about #RustPack is, that you can create DLLs, which still return console output to the Operator. This can be used, to for example execute C# binaries from within rundll32.exe or other processes - still getting the file output as usual. 🔥. So for Pentesters

Entropy based detections are not a problem at all for #RustPack. All payloads by default end up in a normal to low overall entropy value. And the operator can on top choose between alternative payload encoding options. 😎. Alternatively, you can de-couple the encrypted payload

RT @RedTeamTactics: Definitely recommend this! I used the NimSyscallPackerand by @ShitSecure and it was a game-changer. Imagine what the R….