Small PIC Energy I have a challenge for you: How much beaconing agent functionality can you fit into 4KB PIC? How do you do it? This isn’t a shellcode golf challenge. It’s about elegant ways to build common agent s…

Small PIC Energy

aff-wg.org/2026/04/13/s...

11th release. JSON-over-HTTP API.

I've added the sleepmask COFF to my Crystal-Loaders repo. github.com/rasta-mouse/...

Also, something that stood out to me:

The sleep masking BeaconGate is *really* simple. Like, easy to read, follow, work with. Stands on its own

BUT, the magic... was how Daniel used Crystal Palace to link-time ADD draugr stack spoofing without modifying the base BeaconGate module. Really cool.

Great blog post by @rastamouse.me on how to use Crystal Palace with Cobalt Strike's BeaconGate.

The post compares+contrasts this approach with Crystal Kit lessons learned applying 'no knowledge' evasion via a DLL loader.

@badsectorlabs.com Just saw your taking a break post:

blog.badsectorlabs.com/taking-a-bre...

Thank you for what you did. I agree no 1:1 replacement. Your curation and capture of under-the-radar stuff was excellent. Enjoy the break and thank you again!

TinyC2 uses CPL to build PIC C2 channels for use with a demo payload

"I got inspired by recent features in Havoc Pro (Runtime Channel Switching) and Cobalt Strike (UDC2). so i tried reimplementing them, and as a result i made TinyC2."

Source: x.com/cr4ckeddd/st...
Repo: github.com/0xPrimo/TinyC2

Congratulations Daniel. You've created something very special in the red teaming space.

""Feedback from training can even flow back into the product design.""

This. 100%. Build training for a process and what a product needs to support that process becomes obvious. It's a super-power insight.

Part of TCG's vision is stand-alone evasion POCs published and demoed w/o weaponization--but containerized and useful in C2s, B&AS, etc.

@almondoffsec.bsky.social did this with their call gadget evasion research following @rastamouse.me 's LibTP API:

offsec.almond.consulting/evading-elas...

Neat!

The above is happening. We're in a best-case for something this young:

@calz0n3.bsky.social 's Celebi (Mythic PIC agent)
github.com/ofasgard/cel...

Celebi and Crystal C2 re-using @pard0p.bsky.social 's WinHTTP:
github.com/pard0p/LibWi...

Several others too:
tradecraftgarden.org/references.h...

The O'Jays - Love Train (Official Audio) YouTube video by TheOJaysVEVO

Efforts that apply/re-use these containers (e.g., PIC agents, stand-alone tradecraft POCs, UDRLs, re-usable libs/picos) or demo application architectures enabled by dynamic composition, AOP (flexibility via clean instrumentation), etc. are moving this train forward:

www.youtube.com/watch?v=SsYO...

I'm watching b/c I know the pain of monolithic C2 arch. It's a time cumulative agility killer.

I'm [trying to] seize new interest in PIC+archs+compiler-enabled tradecraft to pre-empt siloed knowledge w/ open containers/conventions that cross use cases (B&AS, Dtct Eng) & OSS, commercial, internal C2

Welcome | Documentation | CrystalC2

If you're a C2 engineer, I encourage you to watch @rastamouse.me 's expanding Crystal C2 docs. It's a World-of-tomorrow exhibit for what C2 architecture could be.

Use-time capability composition, radical instrumentation opportunity, & reducing agent's burden

rasta-mouse.gitbook.io/crystalc2/do...

Or, would a crystalpalace-latest.tgz URL redirect be better?

Haha <3 I could put a .git somewhere to pull updates? Would that help?

GitHub comes with a default social contract and workflow that presumes open source == open dev model. Not for me--I'm someone that loves to just throw code over a wall periodically.

Added initial SOCKS support to CrystalC2. Keeping modularity in mind, the 'extension' needs to be enabled when building a payload. Note that it's the CrystalC2 client that acts as the SOCKS server (rather than the C2 server). Just point tools at your localhost and away you go.

post-ex PICO... keep it memory resident, track via a extensions linked list, and call it (e.g., go or exportfunc) every check-in. Let it keep its own state and such.

merge-in is attractive too. Pick your features at build time. Avoids new mem allocs for the feature

Decisions, decisions, decisions.

There's now a little bit of documentation:
rasta-mouse.gitbook.io/crystalc2

I'm just eyeballing the code now. Is resources/agent.spec dynamically generated? Trying to take a peek at that piece of the system.

Published the source if anyone fancies a look.
github.com/crystal-c2
No docs or pre-built releases yet, so expect to be confused :)

NaClCON - The History of Hacking/Cybersecurity Conference - Speakers | NaClCON Meet the experts shaping cyber security today

@pyr0.bsky.social started a History of Hacking conference called NaClCon (May 31-Jun 2 in NC). Happy to see speaker list tilts to the 1990s. Keynote by en.wikipedia.org/wiki/Lee_Fel... (designer of Osborne 1 computer). I smile as I type that: capital "H" hackers. Nice lineup.

naclcon.com/speakers

If anyone wanted to play with (or look at) the source to the latest Crystal Palace, the cpsrc20260303.tgz archive I shipped had contents from an out of date branch. Oops :)

Source for the 20260303 release is on TCG now. Validated it builds what shipped.

Thanks @shogunlab.bsky.social for heads up

Source is up at:

tradecraftgarden.org/crystalpalac...

% md5 cpsrc20260303a.tgz
MD5 (cpsrc20260303a.tgz) = 50e106c1f71a705720b9ecfd82c9bb1d

Thank you for letting me know about this.

I see what happened. I did the ised work on an ised branch and built the dist release out of that. But, I didn't merge ised to main. My release scripts export source out of main. :) I'm going to remedy that now and will post a message here as soon as the right source archive is live on the site.

Bypassing EDR in a Crystal Clear Way | Lorenzo Meacci Most operators spend days engineering the perfect shellcode loader and ship the payload naked. This blog takes you from how C2 payloads actually work under the hood all the way to building a fully eva...

Bypassing EDR in a Crystal Clear Way

by x.com/LorenzoMeacci

Blog: lorenzomeacci.com/bypassing-ed...

Project: github.com/kapla0011/Ka...

Still very much an early WIP, but the Crystal Palace-based Mythic agent I'm working on can be found here:

github.com/ofasgard/cel...

Definitely a balancing act on this one. And, I agree fully. Good project ownership/management requires strong opinions and strong sense of what "the integrity" of the project is. :)

I've added some YARA rules to the Crystal-Kit repo, covering both the loader and the tradecraft PICO. I was pleasantly surprised to see the generator target aspects like heap obfuscation, call stack spoofing, CFG bypass, and memory cleanup.

github.com/rasta-mouse/...

The above doesn't just apply to C2s or offensive security. Platform owners of any ilk, who see a problem that their community and partners are collectively trying to solve, would do well to look for that expended energy, see the barriers, and ask what they can do to make that energy more effective

This isn't new for me. I ran CS this way too. My theory remains: if 1-3 people did something the hard way, maybe 5-100 people will engage with, bring new ideas, and build on something if I solve the ass pains well enough.

This is some of the most important project management advice I have to offer

And, the above is one of the ways I think about leverage. It's never an isolated thought exercise. It really is seeing what you want to do, filtering w/ and re-assessing my scope, making good guesses about what's making your work harder, and trying to go from painful slog to fast effort/reward loop.