Welcome! As of July 31, 2025, I’ve completely restyled this blog to make it more accessible, more readable, and hopefully more useful to anyone diving into the weird and wonderful corners of cyber...

SilentMoonwalk: Implementing a dynamic Call Stack Spoofer TL;DR With the evolution of cyber defence products, we’ve seen in the Red Teaming and Malware Development community a rise in advanced m...

TL;DR With the evolution of cyber defence products, we’ve seen in the Red Teaming and Malware Development community a rise in advanced memory evasion techniques, which aim to bypass the detection...

TL;DR Process injection is a widespread defense evasion technique often used in malware development, and consist into writing (injecting) code within the address space of a remote process. Altho...

Recently, @zyn3rgy released LdapRelayScan, a tool to check for LDAP protections regarding the relay of NTLM authentication. The tool can tell you whether an LDAP server enforces certain kind of pr...

TL;DR As already explained in my previous post “The path to code execution in the era of EDR, Next-Gen AVs, and AMSI”, various security products, such as AVs and EDRs, place hooks in user-mode API...

Recently, I developed a PoC AV/EDR Framework, called Inceptor. More information about the tool can be found in the repository itself, and in the accompanying blog post. What is important to know, ...

As most offensive tool developers knows well, .NET provides a mechanism called Platform Invoke (aka P/Invoke) that allows to call unmanaged APIs directly from .NET applications. This technique ha...

TL;DR During red teaming engagements or regular penetration testing, I always need to bypass certain AV, EDR or other defensive mechanisms. My usual approach was to just get rid of the signatures ...

TL;DR This post is a brief description of the work recently conducted on a known PowerShell obfuscator named Chimera by tokioneon_, which resulted in the creation of the illegitimate son of Chime...