Technical security research and writeups

Red Teaming

  • Centurion: Bring Your Own Execution Environment

    How we built a custom virtualized loader with its own ISA, PE loader, TLS stack, and software crypto coprocessor in about a week using LLM-assisted development — and what the BYOEE model means for offensive tooling.

    read more →
  • Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssembly

    How we built automated RDP sticky keys backdoor detection into Brutus using WebAssembly to embed IronRDP, a Rust RDP library, into a single statically-linked Go binary.

    read more →
  • Domain Fronting is Dead. Long Live Domain Fronting!

    We discovered that domain fronting still works against Google's infrastructure, enabling covert C2 traffic through services like Google Meet, YouTube, and GCP. This research demonstrates how attackers can tunnel traffic through domains too critical for organizations to block.

    read more →
  • Beyond the Last Mile: How Internet Routing Shapes Red Team Ops

    Understanding how internet routing infrastructure impacts red team operations, particularly for traffic tunneling and data exfiltration. Exploring why routing paths, international transit, and peering relationships often matter more than raw connection speeds.

    read more →
  • Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 2 of 2)

    Part two of the Ghost Calls series details how we tunnel real-time C2 traffic through Zoom and Microsoft Teams TURN infrastructure using WebRTC — covering the approaches we evaluated, the WebRTC protocol suite, our SCTP-based implementation, and a walkthrough of the TURNt utility.

    read more →
  • Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 1 of 2)

    Web conferencing covert C2 turns the most trusted traffic on an enterprise network — the daily Zoom and Teams calls defenders are told to exempt from inspection — into an interactive command-and-control channel. Part one dissects the internals of Zoom's architecture, transport protocol, and clients.

    read more →
  • PortBender: TCP Port Redirection for Red Team Operations

    How to redirect traffic from an incoming TCP port using the PortBender utility to perform SMB relay attacks and simulate Duqu 2.0-style persistence through a C2 framework like Cobalt Strike.

    read more →
  • Extending LLVM for Code Obfuscation (2 of 2)

    Part two of the LLVM code obfuscation series. This installment covers developing a more complex pass that automatically encrypts string literals during the compilation process by manipulating the LLVM IR.

    read more →
  • Extending LLVM for Code Obfuscation (1 of 2)

    An introduction to binary obfuscation techniques through LLVM compiler customization. Part one covers LLVM fundamentals, development environment setup, and developing an LLVM pass for junk code insertion.

    read more →