OP-001 · Adversary Emulation Program
APT29 Complete · 7/7 EDRs
APT Emulation Program
A research program reconstructing nation-state TTPs into functional offensive tooling — built from primary-source threat intelligence by Mandiant, MSTIC, CrowdStrike, LAB52, and FireEye. Each emulation takes a named campaign, reverse-engineers the actual behavioral patterns documented in the report, then re-implements them as working tools engineered to evade current enterprise defenses.
APT29 / Cozy Bear is the first completed emulation. A fully custom C2 framework and implant written from scratch in C, Python, and x86-64 assembly — no Cobalt Strike, no Brute Ratel, no Sliver. The implant architecture is inspired by LAB52's analysis of EasterBunny, APT29's Stage 3 implant from a 2019 SVR operation: matryoshka-style encrypted payload nesting, PEB-walk API resolution via gs:[0x60], machine-bound decryption keys, and a reflective PIC loader. Tested and validated against 7 enterprise EDR products with stable beacons and command execution confirmed on each.
APT Roster
APT29
Cozy Bear / NOBELIUM
● Complete — 7/7 EDRs
APT28
Fancy Bear / SOFACY
● Next
Turla
Venomous Bear
○ Queued
Sandworm
Voodoo Bear
○ Queued
Berserk Bear
Dragonfly / Energetic Bear
○ Queued
EDR Bypass Results — APT29 Implant
CrowdStrike Falcon
● Bypassed
SentinelOne
● Bypassed
Cortex XDR
● Bypassed
Microsoft Defender
● Bypassed
Bitdefender
● Bypassed
Sophos
● Bypassed
Elastic Security
● Bypassed
01Init Access
02C2 Setup
03Discovery
04UAC Bypass
05Priv Esc
06Cred Access
07Def Evasion
08Persistence
09Lat Move
10Dom Priv Esc
11Dom Persist
12Cleanup
C2 Framework →
HTTPS Domain-Fronted
HAMMERTOSS
POSHSPY WMI
Custom teamserver · 3 independent C2 channels · Burn one, two survive
C / Win32x86-64 ASMIndirect SyscallsEkko Sleep Mask
Stack SpoofingModule StompingSection MappingRDLL
Domain FrontingHAMMERTOSSWMI Backdoor
PEB WalkPythonThreat Intel
EDRs Bypassed7/7
C2 Channels03
APTs Queued05
OP-002 · Browser-resident defense
Shipping · 75+ installs
ClickArmor
A browser extension built to catch what traditional endpoint tools miss — ClickFix lures, clipboard hijacking chains, credential phishing, and social engineering pretexts at the moment of contact.
- Analyzed 55,000+ phishing samples from PhishTank and ThreatFox to extract indicators and validate detection coverage against live adversary infrastructure.
- Reverse-engineered 5,000+ ClickFix domains to map execution chains, staging infrastructure, and obfuscation patterns.
- Enterprise offering (Armor Console) includes Splunk SIEM integration with structured
ditm:armor:agent events and agent enrollment.
ExtensionClickFixClipboard HijackSplunk SIEMArmor Console
Installs75+
TelemetrySplunk
Samples55k+
OP-003 · Offensive Infra Lab
Operational
Phishing Infrastructure Lab
End-to-end AiTM phishing range built to study adversary delivery infrastructure, MFA bypass techniques, and anti-analysis evasion.
- Deployed Evilginx with custom phishlets for MFA bypass and session hijacking; automated provisioning with Terraform and Caddy reverse proxies.
- Implemented JA4 fingerprinting, headless browser detection, website keying, and dynamic obfuscation to study anti-analysis evasion patterns.
- Tested HTML smuggling via SVG payloads against Google Safe Browsing to understand delivery evasion at scale.
AiTMEvilginxMFA BypassJA4HTML SmugglingTerraform