Very cool

The name of this post is golden

Small PIC Energy I have a challenge for you: How much beaconing agent functionality can you fit into 4KB PIC? How do you do it? This isn’t a shellcode golf challenge. It’s about elegant ways to build common agent s…

Small PIC Energy

aff-wg.org/2026/04/13/s...

11th release. JSON-over-HTTP API.

This is good on one hand because it demonstrates how offence informs defence, but god damn means I have to update the course now 😅

Elastic have pushed some new rules to detect DLL loads and API calls, where the call stack contains a module known to be used for ROP gadgets. This includes dfshim.dll, which I use in RTO II.

I've added the sleepmask COFF to my Crystal-Loaders repo. github.com/rasta-mouse/...

[BLOG]
This post demonstrates how to weave evasion tradecraft (using Crystal Palace) into a merged COFF suitable for use as Beacon's sleepmask. It's actually more of an exploration as to whether evasion knowledge in a capability is good or bad (or both).
rastamouse.me/crystal-mask/

Cobalt Strike Research Labs brings cutting-edge tradecraft straight into your workflow through the Outflank platform.
Think: Custom loaders, Sleep masks. UDC2. Experimental tradecraft - delivered faster.


Learn more in our live demo on April 14: https://ow.ly/fQLl50YFTwq

I've put up the slides from my Zer0Con 2026 presentation on Administrator Protection. github.com/tyranid/info...

TinyC2 uses CPL to build PIC C2 channels for use with a demo payload

"I got inspired by recent features in Havoc Pro (Runtime Channel Switching) and Cobalt Strike (UDC2). so i tried reimplementing them, and as a result i made TinyC2."

Source: x.com/cr4ckeddd/st...
Repo: github.com/0xPrimo/TinyC2

New Mouse in the House: Zero-Point Security Training Joins the Fortra Family Fortra has acquired Zero-Point Security, and Daniel Duggan (RastaMouse) is joining the team to build out the next generation of offensive security training.

Exciting news: Zero-Point Security has joined Fortra and will work alongside the @cobaltstrike.bsky.social, @outflank.bsky.social, and @coreimpact.bsky.social teams to develop the next generation of offensive security training! Get more details on the blog www.cobaltstrike.com/blog/new-mou...

Now available in the 0.4.0 release. github.com/crystal-c2/c...

Adding the Crystal Palace YARA generator to CrystalC2. The feedback loop between modifying the .spec, clicking 'build' in the client, and seeing the new rules is super-fast.

I've removed SOCKS as a built-in option and replaced it with a generic 'payload extension' system.
rasta-mouse.gitbook.io/crystalc2/do...

Not anymore 😂

I feel this. It's why I often disable PRs on my repos.

Done

Loader/Agent Memory Allocation | Documentation | CrystalC2

I wrote a little piece on how to modify CrystalC2's default memory allocation and freeing strategies.
rasta-mouse.gitbook.io/crystalc2/do...

Added initial SOCKS support to CrystalC2. Keeping modularity in mind, the 'extension' needs to be enabled when building a payload. Note that it's the CrystalC2 client that acts as the SOCKS server (rather than the C2 server). Just point tools at your localhost and away you go.

Introducing Cobalt Strike Research Labs! This new offering provides cutting edge tradecraft to get new capabilities into your workflows faster.

Exclusively available in our Adversary Emulation Suites. Read the announcement:
www.cobaltstrike.com/blog/introducing-cobalt-...

Part of why I started this project was to explore different approaches to things like this 🙂 they‘re fun to think about.

Got some SOCKS magic working with CrystalC2 but the bigger challenge is how best to implement it. Make it a postex PICO? Expose an option to merge it into the agent at build time? Something else?

Another option could be for your main agent to resolve all the APIs and store them in a struct somewhere, then just pass a pointer to that struct to the PICO, probably via an exported function. Kinda like how CS's Beacon agent passes syscall info to BOFs.

You can see an example of how I'm using that here: github.com/crystal-c2/c...

I've not read this whole thread, so my reply may not make any sense, but here goes: you can use the import command in a spec file to patch function pointers (of functions that exist inside your agent), into the PICO as it's loaded with PicoLoad.

There's now a little bit of documentation:
rasta-mouse.gitbook.io/crystalc2

There's some elegance in the simplicity (imo), as it makes them very easy to modify or replace. Here's a view of the agent spec.

No, I'm currently just packaging a resources directory with the client release.

Published the source if anyone fancies a look.
github.com/crystal-c2
No docs or pre-built releases yet, so expect to be confused :)

Built a C2 optimised for hyprland-style dynamic window tiling (instead of the class tab-approach)