Red Macros Factory Is Joining OST (And So Am I!)

|

Hey everyone! I’m Mariusz Banach (mgeeky) and I’m excited to introduce myself as the newest member of the Outflank team.

For those who don’t know me, I’ve spent years in the trenches as a red teamer and have trained others to do the same, delivering public and private IT security trainings on malware analysis, initial access, evasion tactics, and more.

However, I have spent the last few years building and managing Red Macros Factory (RMF), an Initial Access Framework designed to take the pain out of the weaponization phase that kicks off every red team engagement. RMF represents three years of research-driven development, battle-tested across numerous engagements. The philosophy behind it is simple: red team tools, by a red teamer, for red teamers.

Sound familiar? That’s exactly why I’m here.

As part of joining Outflank, RMF’s functionality will be integrated into Outflank Security later this year.

Alongside the press release, I wanted to take a moment to introduce myself, explain what RMF brings to the table, and share why I’m so excited about this next chapter.

The Problem RMF Solves

Initial Access is one of the most time-consuming and tedious parts of the engagement. Attention to details while devising payloads, stitching multiple file formats altogether to form an infection chain –  when done manually, there is an extremely large margin for operator error.  

I built Red Macros Factory to solve that problem. At first, it was just for my own engagements. But eventually I realized that there were surely other red teamers who would rather spend their time on the latter stages of an engagement instead of reinventing the weaponization wheel. This is exactly how OST approaches the broader red team arsenal.

RMF is tooling for teams that don’t have time for extensive internal R&D, or who want high-quality, alternative weaponization options they can plug directly into their offensive CI/CD pipelines and scripts.

What RMF Brings to OST

RMF is built around reducing initial access payload generation from days to minutes. One command gets you a fully weaponized, obfuscated payload ready for deployment. Let me break down what’s under the hood:

Payload Generation

RMF generates 105+ weaponized file format vectors across Windows and macOS, covering a wide range of initial access scenarios:

  • Malicious Office documents (Excel, Word, PowerPoint, Publisher, Visio, Project, Access)
  • Malicious LNKs and MSIs with multiple built-in attack options
  • Anti-headless, evasive HTML Smuggling and SVG Smuggling
  • ClickOnce deployments (.application, .manifest, .appref-ms)
  • Nested containers (ZIP, ISO, IMG, WIM, VHD, CAB, PDF, CPIO, CPGZ, Office OLE objects)
  • WSH scripts (VBS, VBE, JS, JSE, HTA, WSF, SCT, WSC, XSL)
  • CHMs and URL files
  • Exotic vectors (MSG, DIAGCAB, INF)
  • macOS macro-enabled Office docs and JXA scripts
  • And more!

Advanced Techniques

  • RMF offers extensive options for macro-based payloads, giving operators flexibility in how they achieve execution:
  • VBA infection strategies (DotNetToJScript, DLL Sideloading/Hijacking, COM Hijacks, and more)
  • Multiple command execution tactics
  • Exotic ActiveX-based autoruns
  • Shellcode support (x86/x64)
  • .NET assembly execution
  • Staged payloads via URL

Evasion and OPSEC

RMF bakes in obfuscation, detection bypassing, and operational security throughout the framework:

  • VBA Stomping, purging, anonymization, and vbaProject.bin metadata manipulation
  • Macro obfuscation with lowered entropy to reduce ML-based detection rates
  • OPSEC scanner with bypass suggestions
  • ASR rule bypasses baked in
  • Support for tested LOLBASes
  • Code signing with leaked and self-signed certificates

Ready-made Attack Chains

Advanced infection scenarios are available out of the box. These are complex, realistic attack paths that would take hours to build manually.

This is what I’m bringing to OST. I can’t wait to see where it goes from here!

Why Outflank?

When I thought about where RMF could have the biggest impact, Outflank was the clear choice.

The philosophy here matches exactly what I’ve been building toward: practical, high-quality offensive tooling made by people who have experience doing this work. We also share a commitment to cutting-edge research and rapid development. Defenses evolve constantly, and so do the threat actors we’re mimicking. Effective tooling has to keep pace with both.

Beyond the technical alignment, Outflank offers the support to take things further. That’s exactly what I was looking for: more time developing, experts to brainstorm with, and less time on admin.

I’m confident this is the right home for RMF (and me!).

Why Merge RMF into OST

RMF’s initial access capabilities are a natural fit for OST. OST already offers 30+ tools spanning the full red team engagement lifecycle. Adding RMF’s initial access capabilities provides comprehensive coverage from first contact through post-exploitation all from a single platform. No more stitching together separate tools and workflows.

Additionally, merging the two means the tooling can work together natively. RMF’s weaponization output can feed directly into OST’s downstream capabilities without friction. The result is smoother operator workflows and fewer manual handoffs between stages of an engagement.

Though it will no longer be a stand alone product, this isn’t RMF going into maintenance mode. It’s RMF getting the backing of a dedicated team that’s committed to keeping offensive tooling sharp. The functionality will keep evolving, now with more resources.

Looking Ahead

I’m thrilled to be part of the Outflank team. The red hoodie fits, our missions align, and I can’t wait to keep building tools that make your engagements easier and more effective.

More details on the integration timeline will be coming soon. In the meantime, feel free to reach out with questions at [email protected], connect with me on Twitter (@mariuszbit), or if you are an OST customer connect with me on the OST Slack.