Vulnerable applications lab — 11 CVEs, Docker-based

The Phantom Whisper is a sophisticated, production-grade Python orchestration framework designed to deploy zero-click exploits with surgical precision.

The Red Sun vulnerability repository

Dynamic Device Phishing tool that creates a new code only when user clicks on link or email is sent.

A golang-written credential harvesting framework leveraging eBPF for kernel-level monitoring with anti-detection capabilities.

Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF). It l…

Monitor the Windows Event Log with grep-like features or filtering for specific Event IDs

A Cobalt Strike BOF implementation of the SilentHarvest registry dumping technique

This is a simple modbus server that can be used for attack simulations.

Elastic Security detection content for Endpoint

Live ETW-TI event viewer for Windows kernel threat-intelligence telemetry. Research tool for exploring the same signals commercial EDRs rely on.

Tailscale-based Windows VNC persistence tool with Session 0 isolation bypass, embedding a full WireGuard peer and RFB server into a single drop-in binary.

Offset Independent Credential Extraction Tool

Proof-of-concept implementation of AI-enabled postex DLLs

Cobalt Strike BOF used to perform privilege escalation by exploiting the SeImpersonate privilege. Based on the original GodPotato PoC by BeichenDream.

A stealthy loader for shellcode staged with http/https like Sliver

Run PowerShell command without invoking powershell.exe

This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.

VeilCreds, a hidden PAM credential harvester

Repository hosting the bluehammer vulnerability

C2

Nim implementation for sud0Ru's Credential Dumping from SAM/SECURITY Hives Method (a.k.a. SilentHarvest)

NTLM HTTP relay tool with SOCKS proxy for browser session hijacking

Havoc C2 BOF port of the KslD.sys BYOVD technique. Credential extraction from lsass via physical memory — no OpenProcess, no auditable API calls.

Fancy reverse and bind shell handler

The samples referenced in my book, Evasive Malware (No starch Press)