Malwares Projects
Some projects are available on my GitHub : https://github.com/raphaelthief
Tor-based reverse shell implant
This project demonstrates a simple proof of concept for establishing a
fully undetectable (at least for Windows Defender) reverse shell using
the Tor network. The idea is to leverage Tor as a covert communication
channel between a target machine and an attacker-controlled server.
Unlike
traditional reverse shells that may be flagged or blocked by security
solutions, this PoC uses a legitimate browser-based Tor client to
initiate a connection to a hidden service (Onion service), effectively
bypassing outbound network filters and obfuscating the origin and
destination of traffic.
The payload includes a continuous loop
designed to maintain a persistent connection attempt to the Onion
server. If the server goes offline, execution does not terminate,
allowing the connection to be automatically re-established once the
Onion service is back online.
More Details
C2 Google Calendar
The custom Command and Control (C2) system I developed leverages
Google Calendar as its communication channel, utilizing a stealthy and
highly evasive approach to avoid detection by traditional antivirus
software such as Windows Defender. The client is custom-built and
designed to blend into normal system activity by using legitimate
Google API requests to read and write events within a designated
calendar. These events are used to transmit encoded commands and
receive execution results, effectively creating a covert
back-and-forth communication layer between the compromised machine and
the attacker. Because the traffic is routed through Google’s
infrastructure and mimics normal user behavior, it remains undetected
by standard endpoint security solutions. No suspicious binaries, C2
domains, or unencrypted payloads are present, which significantly
reduces the detection surface. This makes the calendar-based C2 an
ideal vector for stealthy command execution and data exfiltration in
highly monitored environments.
My C2 supports the management of
multiple clients, making it a fully operational Remote Access Trojan
(RAT). Each client is capable of embedding custom functionalities
depending on the commands it receives. For example, a melt function
that allows the client to remove itself after execution. A key feature
of the client is its ability to integrate Living Off The Land Binaries
and Scripts (LOLBAS) for command execution, leveraging trusted Windows
components to perform tasks while minimizing detection. This not only
enhances stealth but also provides flexible and modular control over
compromised machines.
Trojan RAT
This is both my longest and most advanced project and paradoxically,
also the least finished. Since high school, I've been coding
"classic" malware like keyloggers, info stealers, and
PHP-based RATs. This project is essentially a compilation of all
those, but with far more features. I love working on it because it’s
incredibly engaging and technically challenging, especially when it
comes to bypassing modern defenses.
I'm a big fan of the
DarkComet RAT (made in France!), but of course, my project is strictly
personal and will never be released publicly, which is why I even
reached out to ANSSI. The current version is outdated and heavily
packed, which increases detection. I’m planning a more lightweight
version that would act mainly as a downloader, with functionalities
delivered as modular plugins to reduce both size and detection.
Basic Operation of an Infostealer
This project is a minimalist proof of concept designed to illustrate
the internal logic behind infostealer malware in an educational
context. It walks through how sensitive user data stored in Google
Chrome, such as passwords, cookies, autofill entries, credit card
information, and browsing history, can be manually extracted and
decrypted using Python and native Windows APIs. Its goal is to make
such techniques understandable and reproducible for educational or
research purposes, not to support malicious use.
The script
operates locally by accessing Chrome’s internal SQLite databases and
decrypting protected data using the operating system's own
cryptographic functions (CryptUnprotectData). It supports multiple
Chrome profiles (e.g., Default, Profile 1, etc.), and creates a
temporary output file that logs all retrieved information in a
human-readable format. After collection, it can optionally send the
results via a Discord webhook (purely for demonstration purposes), and
finally deletes the file to simulate typical stealer behavior.
From
a technical perspective, the script uses pycryptodome to handle
AES-GCM decryption for newer Chrome versions, and uses structured
queries to interact with Chrome's data files. Passwords, cookies,
credit cards, and IBANs are decrypted using the master key extracted
from Chrome’s “Local State” file, while other data is read in
plaintext from their respective tables.
The project deliberately
avoids any obfuscation or anti-detection logic. It is not designed to
bypass antivirus solutions or execute silently. On the contrary, it
aims to keep every step transparent to highlight how simple and
accessible these techniques can be when understood. This reinforces
the idea that modern malware is often just a form of automation
layered over operations that can be manually replicated.
Overall,
the project serves as a learning resource for students, analysts, and
researchers looking to deepen their understanding of browser-based
data theft techniques and the operational flow of basic infostealers.
It demystifies how such malware works by reducing it to a simple,
readable Python script.
More Details
UAC Bypass Dropper
This proof-of-concept (PoC) demonstrates a method for bypassing User
Account Control (UAC) on Windows using the well-known fodhelper.exe
auto-elevation exploit. The code leverages a registry hijack under the
current user’s hive to trick fodhelper.exe into executing an arbitrary
binary with elevated privileges, effectively bypassing the standard
UAC prompt without requiring the user to confirm the elevation.
The
mechanism works by first checking whether the specific registry key
used in the exploit already exists. If it does, the application
assumes it has already been relaunched with administrative rights and
proceeds to spawn a privileged command prompt. Otherwise, it creates
the necessary registry structure, pointing to the current executable.
It uses PowerShell commands to write the registry entries that will
trigger the elevation path through fodhelper.exe.
Once the
malicious registry keys are in place, the program launches
fodhelper.exe, which, due to its auto-elevated execution context and
lack of UAC prompt, triggers the relaunch of the current program with
admin rights. A delay is introduced before and after launching
fodhelper.exe to evade detection by Windows Defender and to ensure the
exploit chain has enough time to complete. After elevation, the script
cleans up by removing the registry keys to reduce traces of the
operation.
This PoC can be adapted into a dropper, serving as the
initial stage in a broader attack chain. With administrative
privileges obtained via this UAC bypass, a dropper could disable or
reconfigure Windows Defender, such as by adding exclusion paths. It
could then download a secondary payload potentially malicious and
store it in the excluded directory. This allows the payload to execute
without interference from Windows security mechanisms.
Although
this implementation is designed for research and educational purposes,
the technique itself mirrors real-world adversarial behavior and is
often abused by malware to gain persistence and stealth. For
defenders, understanding and detecting such misuse of trusted Windows
binaries and registry manipulation is critical in maintaining system
security.
More Details