Red & Lonesome | RWXStoned

Using Slack links-preview to smuggle C2 in locked-down environments.

(even when Slack traffic is restricted to your corporate workspace)

Posted on June 18, 2026

Detecting and blocking anomalous web requests has become trivial for Blue Teams, and if you are on a red team engagement, an implant pinging constantly to mybrandnewdomain-about-cooking.lol will not fly nowadays. Using External C2 has become one of the more... [Read More]

My Beacon 2025 Talk on User-Defined Reflective Loader

A friendly intro to Cobalt Strike's UDRL

Posted on November 19, 2025

I had the pleasure of giving this talk a London Beacon 2025 conference earlier this year and here are the slides: [Read More]

My x33fcon 2025 Talk on Code Injection

Taming the Windows Loader for Stealthy Injection

Posted on September 9, 2025

This is the link to my x33fcon 2025 Talk this year: Taming the Windows Loader for Stealthy Injection [Read More]

Making the Debugging of UDRLs (a bit) Easier

a simple addition to the UDRL-VS framework to enable the logging of debug strings in your loader at runtime

Posted on July 6, 2025

The introduction of this Visual Studio project as a template for building Cobalt Strike UDRL has come with a lot of little gimmicks aimed at making your life a bit easier as a malware developer. Developing Position Independant Code (PIC)... [Read More]

How is my Browser blocking RWX execution ?

reviewing an EDR-like mechanism implemented by a popular browser

Posted on January 4, 2025

EDIT January 10, 2025 [Read More]