TOOLS_SUITE
INITIAL_ACCESS
ACTIVE49 modulesPython

PHOBOS

Weaponized delivery artifact factory.

Forty-nine Python modules generating weaponized delivery artifacts across 33 CLI-exposed payloads plus 15 internal exploit chains. Every artifact wraps a shared PowerShell dropper with baked AMSI bypass and TLS staging. Nightmare-Eclipse zero-day PoC wrappers provide Defender termination, SAM extraction, privilege escalation, and BitLocker key recovery.

scroll to access

Kill_Chain_Position

Reconnaissance
Initial_Access
Execution
Persistence
Privilege_Escalation
Lateral_Movement
Collection
Command_& Control
Exfiltration

Capabilities

What it can do.

Office XLM / VBA macro

Excel 4.0 XLM via raw OOXML injection and Word VBA via OLE Compound File Binary, both with AMSI bypass

HTML / MHTML smuggling

JavaScript Blob URL silent download; MHTML web archive with embedded XLM macro trigger

Steganographic PNG dropper

LSB-encoded payload extracted via HTML Canvas + JavaScript, no fetch required

Polyglot PDF / ZIP

Valid PDF with /Launch action and valid ZIP — dual-parse ambiguity bypasses MIME-type filters

ISO / VHD / WIM containers

Disk image formats with embedded LNK, each bypassing Mark-of-the-Web via different mechanisms

Theme / URL / Search coercion

Zero-click NTLM hash capture via .theme INI UNC paths, .url IconFile, and .search-ms connectors

Defender termination

UnDefend passive TOCTOU — locks MpSigStub .vdm files via exclusive file handle, no admin required

Privilege escalation arsenal

GreenPlasma CTFMON COM hijack, MiniPlasma CldFlt pool spray, RedSun Cloud Files race, RoguePlanet SMB coercion

Architecture

How it's built.

Forty-eight modules in phobos/ share a common PowerShell dropper (_ps.py) with baked AMSI bypass, TLS 1.2, and string obfuscation. Each module accepts PhobosConfig (stager URL, engagement ID, output directory) and produces a DeliveryArtifact manifest. The Typer CLI exposes 33 modules as subcommands; 15 internal modules (privilege escalation, SAM dump, Defender kill, registry tunnels, BitLocker extraction) are orchestrated by the engagement_chain.py six-phase kill-chain sequencer. Five Nightmare-Eclipse PoC wrappers in tools/ embed PowerShell payloads as Python string templates and compile reference C/C# source externally.

Engagement_Types

Where it fits.

Phishing simulationRed team initial accessPayload delivery testingAV/EDR evasion assessmentFull kill-chain engagement

Also_In_The_Suite

Secure_Channel

Authorized engagements only.

All work requires a signed scope document. Initial contact is encrypted. Response within 48h.

INITIALIZE_CONTACT