[🤔] So MSF/Meterpreter shouldn't be used as a C2. Got it. What features make something secure enough to use as a proper C2 then?

Let's compare and contrast MSF/Meterpreter and @merlin_c2 to highlight some features that I think make a C2 safe enough for ops
... @merlin_c2 The biggest one, to me, is payload authentication. Not just that a payload can connect to a server, but that *your* payload *only* connects to *your* server

MSF can do this but not by default. Merlin uses the OPAQUE to do so

posts.specterops.io/merlin-goes-op…

🧵D/Invoke for D/ummies 🪡
Why just invoke the P when you can invoke the D?

Wanted to slap together a quick How-To on setting up a simple PoC using D/Invoke.

Read on and soon, you too will be invoking the D with vigor!

1/n D/Invoke allows you to call unmanaged Win APIs without defining them statically in your program. It's much more OPSEC friendly than calling those APIs directly.

2/n

🧵Notion for malware delivery🦠

WhisperGate's Discord CDN hosted malware had me thinking, what other common desktop apps have similar file embed/retrieval capabilities?

How about my favorite notetaking app, Notion?

1- Embed your payload. I'm using a Covenant Grunt HTA 2- Running a web proxy of your choice, click to download the HTA you just embedded. Intercept this request and find the GET request to the AWS S3 resource for this file

☢️WhisperGate Wiper Malware Analysis Live Thread

here we go🧵 Four files total retrieved from VX-Underground on Jan 16th, 2022

Stage 1: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Stage 2: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78