C2 Agent for Mythic with advanced evasion capabilities, supporting dotnet/powershell/PE/shellcode/BOF memory execution, lateral movement, pivoting, SOCKS, and more. Kharon is a fully Position-Independent Code (PIC) shellcode and llvm support.

The communication is all encrypted with AES256

• Named pipe-based C2 channel
• Blends with legitimate Windows file sharing traffic

• Web-based encrypted communication
• Supports TLS-secured connections

• Uses hardware breakpoints to bypass AMSI/ETW.
• Sleep obfuscation via timers.
• Heap obfuscation during sleep (XOR).
• Indirect syscalls (e.g., Halo's Gate).
• Call stack spoofing based on SilentMoonwalk.

Supports injection of dotnet assemblies, PE files, shellcode, and Beacon Object Files (BOF). All execution is inline with exception of the shellcode for a while.

Allows customization of injection techniques, including:

• Allocation: DripAlloc or standard allocation.
• Writing: WriteMemoryAPC or standard memory writing (for inline is just used custom memcpy).
• Execution: Normal thread creation, thread pool execution, or direct pointer invocation (inline execution).

Can inject .NET assemblies and keep them in memory for later execution without reloading.

Its using the PowerPick dotnet, you can pass the script url and command for execution.

PE files can also be kept in memory and executed later. While idle, they are obfuscated using SystemFunction040/SystemFunction041 (also used for sleep obfuscation).

Standard shellcode execution for post-exploitation, similar to BOF. Includes a specific template for custom shellcode development, allowing users to code their own shellcode and use it as a new command.

Beyond standard BOF execution, the agent provides custom APIs such as BeaconVirtualAlloc and BeaconLoadLibrary. Future updates may include more APIs. The advantage of using these APIs is that they execute in the preferred context with stack spoofing and/or indirect syscalls.

Advanced movement techniques:

• WMI (Windows Management Instrumentation) execution
• SCM (Service-based execution with custom implementation)
• Seamless network traversal capabilities

Core file management commands:

Here's an enhanced version of the Process Management section with more technical depth and better organization:

Advanced process manipulation engine with defensive evasion capabilities:

Advanced Capabilities:

• PPID Spoofing: Masquerade as child of legitimate processes (explorer.exe, svchost.exe, etc.)
• Argument Spoofing: Forge command-line arguments to evade detection
• BlockDLL Enforcement: Restrict non-Microsoft DLL injection
• Suspended Process Creation: For memory manipulation prior to execution
• Output Redirection: Anon pipe streaming (STDOUT/STDERR)

Detailed enumeration of running processes with the following information:

• Image Name: The executable name (e.g., explorer.exe, svchost.exe)
• Full Path: Complete on-disk location of the process binary
• Command Line: Full execution command with arguments (if available)
• Process ID (PID): Unique numerical identifier
• Parent PID (PPID): Process that spawned the current instance
• Session ID: Terminal session association
• User Context: Security context under which the process runs
• Handle Count: Number of open handles (files, registry keys, etc.)
• Thread Count: Active execution threads

Kill the existence process.