I've been pondering the pros and cons of a pure PIC agent vs a COFF agent with a PIC loader. Pure PIC sounds better on paper but I'm not convinced. Here's why I like the loader approach 🧵

Taking a break from other projects, so just a small one for now: I made a little proof-of-concept HTML smuggling implementation using Rust's web assembly support: github.com/ofasgard/smu...

VIA: x.com/NationalCCDC... Congratulations to Dakota State University--the 2026 National Collegiate Cyber Defense Competition champions. A huge congrats to University of Virginia on 2nd and Western Washington University on 3rd.

Released Reflectra - modular UDRL on Crystal Palace. Built to replace default C2 DLL loaders and work well with AdaptixC2. • Stack spoofing • Indirect syscalls • Sleep Mask • ETW patch • DLL masking + Free & Run Feedback welcome 👇 github.com/k1ng0fn0th1n...

Atomic BOFs rastamouse.me/atomic-bofs/

I added Astral Projection by KuwaitiSt to the Community Pavilion too. It's a UDRL implementation of an Advanced Module Stomping. kuwaitist.github.io/posts/Astral... github.com/KuwaitiSt/As...

I did some garden tending: Updated the TCG community pavilion. Added some projects and posts. Re-organized the projects section. I also added a note about ground truth curation vs. provenance for red team use. Something I wrestled with/put some thought into. tradecraftgarden.org/references.h...

Small PIC Energy aff-wg.org/2026/04/13/s... 11th release. JSON-over-HTTP API.

I've added the sleepmask COFF to my Crystal-Loaders repo. github.com/rasta-mouse/...

Great blog post by @rastamouse.me on how to use Crystal Palace with Cobalt Strike's BeaconGate. The post compares+contrasts this approach with Crystal Kit lessons learned applying 'no knowledge' evasion via a DLL loader.

@badsectorlabs.com Just saw your taking a break post: blog.badsectorlabs.com/taking-a-bre... Thank you for what you did. I agree no 1:1 replacement. Your curation and capture of under-the-radar stuff was excellent. Enjoy the break and thank you again!

TinyC2 uses CPL to build PIC C2 channels for use with a demo payload "I got inspired by recent features in Havoc Pro (Runtime Channel Switching) and Cobalt Strike (UDC2). so i tried reimplementing them, and as a result i made TinyC2." Source: x.com/cr4ckeddd/st... Repo: github.com/0xPrimo/TinyC2

Congratulations Daniel. You've created something very special in the red teaming space. ""Feedback from training can even flow back into the product design."" This. 100%. Build training for a process and what a product needs to support that process becomes obvious. It's a super-power insight.

If you're a C2 engineer, I encourage you to watch @rastamouse.me 's expanding Crystal C2 docs. It's a World-of-tomorrow exhibit for what C2 architecture could be. Use-time capability composition, radical instrumentation opportunity, & reducing agent's burden rasta-mouse.gitbook.io/crystalc2/do...

Added initial SOCKS support to CrystalC2. Keeping modularity in mind, the 'extension' needs to be enabled when building a payload. Note that it's the CrystalC2 client that acts as the SOCKS server (rather than the C2 server). Just point tools at your localhost and away you go.

There's now a little bit of documentation: rasta-mouse.gitbook.io/crystalc2

Published the source if anyone fancies a look. github.com/crystal-c2 No docs or pre-built releases yet, so expect to be confused :)

@pyr0.bsky.social started a History of Hacking conference called NaClCon (May 31-Jun 2 in NC). Happy to see speaker list tilts to the 1990s. Keynote by en.wikipedia.org/wiki/Lee_Fel... (designer of Osborne 1 computer). I smile as I type that: capital "H" hackers. Nice lineup. naclcon.com/speakers

If anyone wanted to play with (or look at) the source to the latest Crystal Palace, the cpsrc20260303.tgz archive I shipped had contents from an out of date branch. Oops :) Source for the 20260303 release is on TCG now. Validated it builds what shipped. Thanks @shogunlab.bsky.social for heads up

Bypassing EDR in a Crystal Clear Way by x.com/LorenzoMeacci Blog: lorenzomeacci.com/bypassing-ed... Project: github.com/kapla0011/Ka...

Still very much an early WIP, but the Crystal Palace-based Mythic agent I'm working on can be found here: github.com/ofasgard/cel...

I've added some YARA rules to the Crystal-Kit repo, covering both the loader and the tradecraft PICO. I was pleasantly surprised to see the generator target aspects like heap obfuscation, call stack spoofing, CFG bypass, and memory cleanup. github.com/rasta-mouse/...

So, when I was writing my latest blog post, a few typos got in there. It's how you know I wrote it. :) I really wanted to ship that day. The engineering was solid though. I put serious tortured (over-)thinking into the design & impl. decisions. I'm thrilled with the result. vimeo.com/1170068618

[BLOG] Islands of Invariance rastamouse.me/islands-of-i...

A Scalpel, A Hammer, and a Foot Gun aff-wg.org/2026/03/03/a...

Started working on a Mythic agent that uses Crystal Palace to generate its shellcode. So far I've just got it to emit some generic shellcode - it doesn't talk to Mythic yet. I'm hoping to make a fully modular agent that you can patch your tradecraft into when you generate a payload :)

Punching Sideways aff-wg.org/2026/02/23/p...

This is now committed along with a few other changes like using the newer CPL Java API.

I've been playing with a C2 built around PIC modularity for the last few weeks. C2 comms are merged into the agent at link time and output as shellcode. COFFs are transformed into PICOs for postex. Evasion tradecraft can be woven in via spec files. Very scriptable using Sleep.

The Islands of Invariance More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too. aff-wg.org/2026/02/02/t...

Cobalt Strike blog ppost by x.com/joehowwolf on using Crystal Palace to mash-up Page Streaming and Draugr Call Stack Spoofing into a Cobalt Strike UDRL. (Again, I really love the comics. They are perfect).

Georgia Weidman has posted some December 2010 NovaHackers talks, including my first talk on Armitage. x.com/georgiaweidm... Video link: www.youtube.com/watch?v=ZtnK...

A nice workaround against my YARA rule. kuwaitist.github.io/posts/Patchi...

"By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1."

I pushed a 1-change update to Crystal Palace. linkfunc now works with make coff. link (in a make coff context) merges the linked data into the .rdata section. Both are to support the BOF cocktails idea. rastamouse.me/bof-cocktails/

Keeping bin2bin out of the bin aff-wg.org/2026/01/13/k... Another TCG update. +shatter, +regdance, and -O1 MinGW support. Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)

TCG's vision is to separate tradecraft from capability and encourage an ecosystem of ground truth research. I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win. Some caveats (see post), exciting.

I managed it: marketplace.visualstudio.com/items?itemNa...

This is fork&run to execute BOFs in a remote process, same API, and get output back over a pipe--demonstrated with Havoc. Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)

To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace. github.com/pard0p/Remot...

WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...

My open source projects server is down. I got a ticket in with the provider as I believe it's something on their end. Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.

Discovering Tradecraft Garden by x.com/jjavierolmedo hackpuntes.com/posts/explor... A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.

"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker." "This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems" github.com/0xTriboulet/...

Interesting project. Reimplements TCG example loaders in Rust and demonstrates Rust patterns for TCG and Crystal Palace. One note: my scope, dev, tests, and unit tests are limited to MinGW. Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.

My PICOs and unit testing library have been updated for the newest version of Crystal Palace and LibTCG :)

Pushed a big update to Crystal Kit. github.com/rasta-mouse/...

Re: the new TCG release. I updated the Simple Hooking example into an empty base architecture and made XOR hooks and Stack Cutting into .spec modules for it: tradecraftgarden.org/simplehook.h... Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.

LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block. github.com/pard0p/LibPi...

[BLOG] This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command. rastamouse.me/pic-symphony/