Weaponized delivery artifact factory.
Forty-nine Python modules generating weaponized delivery artifacts across 33 CLI-exposed payloads plus 15 internal exploit chains. Every artifact wraps a shared PowerShell dropper with baked AMSI bypass and TLS staging. Nightmare-Eclipse zero-day PoC wrappers provide Defender termination, SAM extraction, privilege escalation, and BitLocker key recovery.
scroll to access
Kill_Chain_Position
Capabilities
Office XLM / VBA macro
Excel 4.0 XLM via raw OOXML injection and Word VBA via OLE Compound File Binary, both with AMSI bypass
HTML / MHTML smuggling
JavaScript Blob URL silent download; MHTML web archive with embedded XLM macro trigger
Steganographic PNG dropper
LSB-encoded payload extracted via HTML Canvas + JavaScript, no fetch required
Polyglot PDF / ZIP
Valid PDF with /Launch action and valid ZIP — dual-parse ambiguity bypasses MIME-type filters
ISO / VHD / WIM containers
Disk image formats with embedded LNK, each bypassing Mark-of-the-Web via different mechanisms
Theme / URL / Search coercion
Zero-click NTLM hash capture via .theme INI UNC paths, .url IconFile, and .search-ms connectors
Defender termination
UnDefend passive TOCTOU — locks MpSigStub .vdm files via exclusive file handle, no admin required
Privilege escalation arsenal
GreenPlasma CTFMON COM hijack, MiniPlasma CldFlt pool spray, RedSun Cloud Files race, RoguePlanet SMB coercion
Architecture
Forty-eight modules in phobos/ share a common PowerShell dropper (_ps.py) with baked AMSI bypass, TLS 1.2, and string obfuscation. Each module accepts PhobosConfig (stager URL, engagement ID, output directory) and produces a DeliveryArtifact manifest. The Typer CLI exposes 33 modules as subcommands; 15 internal modules (privilege escalation, SAM dump, Defender kill, registry tunnels, BitLocker extraction) are orchestrated by the engagement_chain.py six-phase kill-chain sequencer. Five Nightmare-Eclipse PoC wrappers in tools/ embed PowerShell payloads as Python string templates and compile reference C/C# source externally.
Engagement_Types
Also_In_The_Suite
Secure_Channel
All work requires a signed scope document. Initial contact is encrypted. Response within 48h.
INITIALIZE_CONTACT