Outflank Security Tooling (OST) Releases

Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion, and other relevant topics.

OST RELEASES

2025
October 16, 2025
Builder: Two New Execution Techniques & OC2: Better BOF-PE Exception Handling

Read More

October 16, 2025

Builder: Two New Execution Techniques & OC2: Better BOF-PE Exception Handling

In-Phase Builder

  • Innosetup format addition

  • VLC Plugins

Outflank C2:

  • BOF-PE (DLL): Improvements on exception handling

Payload Generator:

  • Improved Dll export allowed names

Schedule a demo to learn more >

October 7, 2025
OC2: Hardcoded Proxy Credentials & Imphash

Read More

October 7, 2025

OC2: Hardcoded Proxy Credentials & Imphash

Outflank C2

  • Added capability to include Hardcoded proxy credentials

PE Payload Generator, ShovelNG, PasswordSpy++

  • EDR evasion improvements

  • Mitigations against Import Hash (imphash) fingerprinting

PE Payload Generator

  • EDR evasion improvement to mitigate entropy-based detection

EDR Presets

  • Two new community contributed EDR presets have been added.

Schedule a demo to learn more >

September 18, 2025
OC2: BOF-PE Support and Async Portscan BOF

Read More

September 18, 2025

OC2: BOF-PE Support and Async Portscan BOF

Outflank C2

  • BOF-PE (DLL) support

Outflank C2 Async Pack

  • Portscan: Map available network servers and services by scanning hosts and IP ranges for open TCP ports

Documentation

  • EDR testing guidelines have been added to the Knowledge Base section under EDR Evasion

Schedule a demo to learn more >

August 28, 2025
Builder BGInfo Support + New Shortcut BOF

Read More

August 28, 2025

Builder BGInfo Support + New Shortcut BOF

In-Phase Builder

  • BGInfo support: Builder now supports BGInfo file generation

Outflank C2 Tool Collection

  • Shortcut BOF: New BOF that allows operators to use Windows shortcuts (.lnk) files in their operations

KernelTool

  • Operators can now specify custom driver paths for dropping and can be used for WDAC policies that restrict drivers from being loaded from specific location

Chromeo  

  • Improvements in Chrome attack tooling (Chromeo)

PE Payload Generator

  • Various QoL improvements

OC2 Implant

  • Evasion improvements

Schedule a demo to learn more >

August 14, 2025
Chromeo Attack Tooling

Read More

August 14, 2025

Chromeo Attack Tooling

Chromeo 

  • Introducing attack tooling for Chromium-based processes (Chrome/Edge/Brave/Opera)

Misc Updates

  • EDR presets: New community contributed EDR preset

  • OC2 Implant builder: Quality of life improvement

Schedule a demo to learn more >

August 1, 2025
Blocking EDR Telemetry

Read More

August 1, 2025

Blocking EDR Telemetry

Outflank C2 Tool Collection

  • Added new BOF that manipulates Windows network stack. Features:

    • EDR telemetry blocking

    • Traffic interception

    • Generic DNS hijacking: General DNS hijacking / traffic interception.

    • Remote system support: Target remote systems before making lateral movements

In-Phase Builder

  • EarlyBird improvement: Improving evasion

PE Payload Generator

  • QoL: additional warnings prior to expiration.

Schedule a demo to learn more >

July 17, 2025
KernelTool Update with Multi-Driver Support

Read More

July 17, 2025

KernelTool Update with Multi-Driver Support

KernelTool

  •  Various QoL improvements related to multiple-driver support and specific driver detections

PE Payload Generator

  • Various QoL improvements related to evasion and KillDate management

EDR Presets

  • Two new community contributed EDR presets have been added

Schedule a demo to learn more >

June 26, 2025
Python Linux Payload & Two New Monitor BOFs

Read More

June 26, 2025

Python Linux Payload & Two New Monitor BOFs

In-Phase Builder

  • Added a new Linux Python payload building option

Outflank – C2 Async Pack

  • Interface monitor command detects network interfaces additions/deletions

  • File monitor command detects file modifications.

  • Usermon command monitors login activity.

Outflank – C2 Tool Collection

  • SprayAD will now run as an asynchronous BOF for supported teamservers

Outflank C2

  • Various QoL improvements on the BOF Loader

OST Portal

  • Improved several input validation error messages

Schedule a demo to learn more >

June 4, 2025
CredentialPack: New HiveDump BOF

Read More

June 4, 2025

CredentialPack: New HiveDump BOF

CredentialPack:

  • HiveDump: New registry hive dumping tool that manually reads and parses the registry.

KernelKatz:

  • Added MSV support for Windows 24H2 and updated static offsets.

  • Bugfix for out-of-bounds reads on specific Windows versions.

Schedule a demo to learn more >

May 12, 2025
Cobalt Strike 4.11.1 Support

Read More

May 12, 2025

Cobalt Strike 4.11.1 Support

BeaconBooster

  • Support added for Cobalt Strike 4.11.1

Outflank C2

  • Small bug fixes for Blind ETW on start and in Clipmon from OC2 Async Pack

Schedule a demo to learn more >

May 1, 2025
Outflank C2: Asynchronous Task Support

Read More

May 1, 2025

Outflank C2: Asynchronous Task Support

Outflank C2

Asynchronous task support

  • Though BOFs were previously designed for synchronous operations, operators can now to roll out a network of sensors and stream these events to the C2 server for further processing – all while the implant is sleepmasked

 

Outflank C2 Async BOF Pack

  • This can monitor for various events, with an initial release consisting of four monitoring BOFs:
  • Usermon: Monitor and record user login events. Every login is recorded and printed
  • Procmon: Monitor for a specific application start
  • Clipmon: Monitor the clipboard, recording every new text copy
  • Keylogger: Record all entered keystrokes, including key modifiers and special keys
  • Usermon: Monitor and record user login events. Every login is recorded and printed

 

Bugfixes

  • Numerous bugfixes and minor improvements for payload generator, Ceaconbooster, languagePanda

Schedule a demo to learn more >

April 30, 2025
Revamped Portal for OST Docs

Read More

April 30, 2025

Revamped Portal for OST Docs

OST Portal

  • Users can now add new content and make edits to existing content that will be shared with the OST community

New Documentation Portal

  • Revised structure of documentation

  • Search function and dark mode added

Schedule a demo to learn more >

April 17, 2025
ShovelNG: Bring Your Own Execution Context (BYOEC)

Read More

April 17, 2025

ShovelNG: Bring Your Own Execution Context (BYOEC)

ShovelNG

  • With Bring your own Execution Context (BYOEC), it is now possible to configure ShovelNG to upload your own .exe to be used as execution context instead of one of the currently available LOLBINS

  • Added 5 pre-configured Execution Contexts

  • Additional execution configurations soon to come

Schedule a demo to learn more >

April 9, 2025
Configurable Proxy Support for Outflank C2 and Misc Updates

Read More

April 9, 2025

Configurable Proxy Support for Outflank C2 and Misc Updates

Outflank C2

  • Configurable proxy support has been added for both Windows as well as Linux/macOS implants. The implant will try this configurable option after direct and system/user proxy fails

  • Small bugfixes for BOFs and process creation

PE Payload Generator

  • RC4 encryption has been added and guidance for payload configuration has been updated

  • Small bugfix for EarlyBird/Cascade injection

RoadTune

  • App Store installable apps are now supported.

  • Install commands are not shown for apps by the IME client

  • Improvements for retrieval of user-scoped policies and assignments

KernelTool

  • Improved offset resolving

Schedule a demo to learn more >

March 26, 2025
Portal Quality of Life Update

Read More

March 26, 2025

Portal Quality of Life Update

Portal

  • This Portal update will bring many small changes to make usage and build flows more convenient, including the introduction of Evil-O-4000, who will now help and guide you, providing:

    • Input validation errors in PE Payload Generator

    • Inconsistencies/warnings between Outflank C2 and PE Payload Generator settings

    • Confirmation of input validation

Miscellaneous Bugfixes

  • Fixes for Outflank C2, PE Payload Generator, and EarlyCascade

Schedule a demo to learn more >

March 17, 2025
Red Team Management Tech DeepDive recording

Read More

March 17, 2025

Red Team Management Tech DeepDive recording

Red Team Management Tech DeepDive recording

  • Covering the non-technical part of red teaming, this DeepDive covers test plans, reporting, meetings with stakeholders, trust building, planning, and more.

BeaconBooster

  • Added compatibility for Cobalt Strike 4.11 release

 

 

Schedule a demo to learn more >

March 5, 2025
OC2: Secure Enclave Sleep Mask, New BOF loader, Guardrail Updates, New AMSI bypass

Read More

March 5, 2025

OC2: Secure Enclave Sleep Mask, New BOF loader, Guardrail Updates, New AMSI bypass

Outflank C2

  • New Enclave Sleep Mask added

  • New AMSI bypass: Novel data-only bypass

  • New BOF loader: Overhauled for increased flexibility and performance

  • Guardrails: Anti-sandbox guardrails now aligned with Payload Generator to provide same options and protection

PE Payload Generator

  • Cross product configuration checks added

EDR Presets

  • New community contributed EDR preset added

Schedule a demo to learn more >

February 20, 2025
New Sleep Mask & Updates for Outflank C2, Payload Generator, Portal

Read More

February 20, 2025

New Sleep Mask & Updates for Outflank C2, Payload Generator, Portal

BeaconBooster

  • New Enclave Sleep Mask added, based on research by Cedric Van Bockhaven and Matteo Malvica

  • x86 exception handling support added (also added to Outflank C2)

Outflank C2

  • APC dispatcher trickery added

  •  Maximum attempt counter added to forwarded messages

PE Payload Generator

  • Input validation box updated to show direct feedback

OST Portal

  • Help icon deeplinks added to navigate directly to the corresponding item in documentation

Schedule a demo to learn more >

January 30, 2025
New Tech Deep Dive & Preset

Read More

January 30, 2025

New Tech Deep Dive & Preset

Tech Deep Dive

  • Recording of the Secure Enclaves knowledge sharing session added to portal:

                – Deep dive into architecture of VBS enclaves

                – Full walkthrough demo with practical techniques for existing vulnerable enclave DLLs

EDR Presets

  • New community contributed EDR preset added

Schedule a demo to learn more >

January 15, 2025
Outflank C2, New Tech Deep Dive, HiddenDesktop

Read More

January 15, 2025

Outflank C2, New Tech Deep Dive, HiddenDesktop

Outflank C2

  • New Sleep Mask options added, ao allowing to configure the sleep thread state

  • Dynamic configuration of macOS implant proxy settings

  • Smaller tuning and bug fixes

Tech Deep Dive

  • Recording of the ROADtune knowledge sharing session added to portal:

                – Deep dive into Intune and ROADtune

                – Full walkthrough demo of PhisherPrice plus ROADtune

HiddenDesktop

  • Bugfix for uncommon screen resolutions

Schedule a demo to learn more >

2024
December 18, 2024
Cloudpack, Outflank C2, and EDR Updates

Read More

December 18, 2024

Cloudpack, Outflank C2, and EDR Updates

Cloudpack

  • ROADTune bugfix and additions

  • PhisherPrice now supports token resource tokens

  • Extra documentation

Outflank C2 Updates

  • BOF loader is now able to deal with BOFs BeaconPrintf-ing binary buffers from BOFs that aren’t programmed nicely

  • System proxy support for Linux and macOS

  • Several small bug fixes on additional HTTP headers

EDR Updates and Documentation

  • Added 2 new EDR presets

  • Improved OPSEC documentation

Schedule a demo to learn more >

December 4, 2024
Major OPSEC Update, New Loaders, and Outflank C2 Implant

Read More

December 4, 2024

Major OPSEC Update, New Loaders, and Outflank C2 Implant

New Loaders

BIG OPSEC Update

  • Full threat stack spoofing implemented on all system calls in the stagers, implant, and reflective loader

  • EarlyCascade update

  • Windows CET compatibility update

  • EDR finetuning for new EDRs

Outflank C2 Implant Update

  • Improved linked implants for DeepSleep

  • Added automatic user agent detection

  • Implemented extra guardrails

Schedule a demo to learn more >

November 20, 2024
Evasion Improvements and Bugfix Release

Read More

November 20, 2024

Evasion Improvements and Bugfix Release

Updates

  • Evasion improvement for PasswordSpy

  • Bugfix for ROADtune Android support

  • Bugfix for lateral movement via Shovel

Schedule a demo to learn more >

November 14, 2024
Linux and macOS Improvements

Read More

November 14, 2024

Linux and macOS Improvements

New Knowledge Session

  • Released a tech deepdive on macOS and Linux operations with OST

Updates

November 6, 2024
Guardrails and Anti-sandboxing

Read More

November 6, 2024

Guardrails and Anti-sandboxing

Updates

  • Improvement on the guardrail requirements to avoid sandbox analysis

Schedule a demo to learn more >

October 31, 2024
New Tool Release: RoadTune

Read More

October 31, 2024

New Tool Release: RoadTune

RoadTune

  • New tool for offensive Intune operations

  • Can emulate multiple device types, fake compliance and retrieve Intune packages for offline analysis

Updates

  • Enhancements to KernelKatz, FakeRansom and evasion presets

Schedule a demo to learn more >

October 9, 2024
New Knowledge Session

Read More

October 9, 2024

New Knowledge Session

Tradecraft

  • Knowledge session on MS defender static detections now available on portal

Updates

  • Overall quality of life improvements & smaller bug fixes

Schedule a demo to learn more >

September 25, 2024
EarlyCascade Extension and More

Read More

September 25, 2024

EarlyCascade Extension and More

EarlyCascade – Extension

  • EarlyCascade injection is now also available in Outflank C2 (formerly Stage1) and ShovelNG

Outflank C2 & PE Payload Generator

  • New options and GUI improvements to allow more operator flexibility

Evasion

  • Added 5 new community contributed EDR presets

Schedule a demo to learn more >

September 11, 2024
EarlyCascade Injection in Payload Generator

Read More

September 11, 2024

EarlyCascade Injection in Payload Generator

EarlyCascade Injection in Payload Generator

  • Added a novel injection technique called ‘EarlyCascade’

  • Added ‘freeze’ as a new process creation method

  • New ‘Embed in section’ option

  • Relative local paths are now supported

Updates

Schedule a demo to learn more >

August 19, 2024
BeaconBooster CS 4.10 Compatibility

Read More

August 19, 2024

BeaconBooster CS 4.10 Compatibility

BeaconBooster CS 4.10 Compatibility

  • Updated Beacon Booster’s Sleep Masks for compatibility with the new version of Cobalt Strike

  • Added address spoofing for Beacon Gate

Schedule a demo to learn more >

August 15, 2024
Outflank C2: New macOS & Linux implants

Read More

August 15, 2024

Outflank C2: New macOS & Linux implants

Outflank C2: New Name & New Features

  • Native Implants: Tailored for each OS, both implants are written in C/C++/ASM

  • Full Implant Capabilities: Dynamic Execution (BOF/JXA), network tunneling, http & tcp beacons

  • Guardrails & High OPSEC: Our research into macOS & Linux EDR was incorporated in developing the implant

  • In-Phase Builder: Capabilities to generate/transform raw shellcode in various macOS or Linux formats

  • Stage1 has been renamed Outflank C2

Schedule a demo to learn more >

July 24, 2024
PhisherPrice: OST Attacks the Cloud!

Read More

July 24, 2024

PhisherPrice: OST Attacks the Cloud!

New Tool Release: PhisherPrice

  • This new tool adds to OST capabilities for attacking EntraID device code flow.

Updates

  • Bugfixes

  • Various infrastructure changes

Schedule a demo to learn more >

July 2, 2024
New EDR Presets, (OPSEC) Improvements & Bugfixes

Read More

July 2, 2024

New EDR Presets, (OPSEC) Improvements & Bugfixes

PE Payload Generator:

In-Phase Builder

  • Updated .Net shellcode loader as follow-up after the Elsatic Blog

Stage1 C2

  • Update for KernelCallbackTables injection and Module Stomping

  • Bugfixes

BeaconBooster

  • Implemented evasion for Windows Defender Emulator

 

 

Schedule a demo to learn more >

June 11, 2024
Updates to C2 Tool Collection and Bugfixes

Read More

June 11, 2024

Updates to C2 Tool Collection and Bugfixes

CreateService BOF

  • New BOF for creating/stopping/deleting services

Updates

  • Small updates for various tools, including WdToggle and In-Phase Builder

Schedule a demo to learn more >

May 23, 2024
In-Phase Builder – Initial Access to the Max!

Read More

May 23, 2024

In-Phase Builder – Initial Access to the Max!

New tool in beta: In-Phase Builder

  • This is an incredibly powerful framework for generating and working with file formats and is easily extendible.

  • Each file format transformation has been implemented in the infection chain and optimized for OPSEC.

  • Chains include new tradecraft to decrease the number of warnings/popups a victim will see or change some popups to less scary ones.

  • The tool incorporates our research and full weaponisation of an initial infection file format that has less stringent browser controls and Mark-of-the-Web blocks than most known formats.

    Schedule a demo to learn more >

May 8, 2024
New SpawnAs and UAC Bypass Features in Stage1

Read More

May 8, 2024

New SpawnAs and UAC Bypass Features in Stage1

Stage 1

  • Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass

PE Payload Generator, Stage 1, and ShovelNG

April 11, 2024
New Misc Tools, Relaying Research and Quality of Life Updates

Read More

April 11, 2024

New Misc Tools, Relaying Research and Quality of Life Updates

 

EDR Evasion

  • Evasive features ported towards ShovelNG for lateral movement

  • Additions of new EDR presets

Stage1

  • Major performance enhancement of SOCKS

Misc Features and Updates

  • New Keylogger and capability for remote command execution over WSMan

  • Inclusion of new relaying research

  • Updates to several tools to support new Windows versions, features, bugfixes, etc

Schedule a demo to learn more >

March 20, 2024
Mega EDR Fine Tuning and Bypass Release

Read More

March 20, 2024

Mega EDR Fine Tuning and Bypass Release

 

  • This release is the result of several man-months of research on stealthiness and evasion.

  • OST tools PE Payload Generator, Stage 1 C2, and Lateral Pack’s Shovel NG are now even better equipped to bypass major EDRs as a result of tweaked remote process injection techniques, smarter unhooking, and a new sleep mask.

    Schedule a demo to learn more >

March 7, 2024
EDR Evasion, Tech Deep Dive, and Bugfix Release

Read More

March 7, 2024

EDR Evasion, Tech Deep Dive, and Bugfix Release

 

  • EDR info has been extended and presets are now available for a total of six major EDRs.

  • A cheat sheet is now available for the “OPSEC tricks for attacking Azure AD with ROADtools” recording.

  • Numerous small bugfixes have been implemented.

Schedule a demo to learn more >

February 19, 2024
PowerShell Tradecraft and New OPSEC Features

Read More

February 19, 2024

PowerShell Tradecraft and New OPSEC Features

Tool category: PowerShell Tradecraft

  • PSPipeJack: This new tool uses a novel lateral movement technique for abusing tricks in Powershell, bringing back PowerShell for red teamers. It can be used as dedicated tool, both in Stage 1 C2 or in Cobalt Strike.

  • PowerShell support has been added to Stage 1 C2 with obvious security bypasses.

Schedule a demo to learn more >

January 31, 2024
Tech Deep Dive and new EDR presets

Read More

January 31, 2024

Tech Deep Dive and new EDR presets

Tech DeepDive Recording

  • Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.

EDR Evasion / Payload generator & documentation

  • Two new PE Payload Generator EDR presets.

Schedule a demo to learn more >

January 17, 2024
Major Updates for EDR Evasion

Read More

January 17, 2024

Major Updates for EDR Evasion

 

Updates:

Tool category: EDR Evasion/Payload Generator/Documentation

Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.

• Documentation enhanced with technical details on evasion, strategies and how to best use OST.

• Minor bugfixes for Stage 1 and EvilClicky

 

Schedule a demo to learn more >

2023
December 20, 2023
Updates to Hidden Desktop and Stage 1

Read More

December 20, 2023

Updates to Hidden Desktop and Stage 1

 

Updates:

Tool category: Out-phase/Exfiltration

Hidden Desktop: Complete rewrite, BOF format and various new functionality

• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)

 

Schedule a demo to learn more >

December 11, 2023
New Exploit Release: Ivanti Secure Access VPN Client

Read More

December 11, 2023

New Exploit Release: Ivanti Secure Access VPN Client

 
 

Tool category: Privilege Escalation/Misc

• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

 

Schedule a demo to learn more >

November 29, 2023
Updates to ShovelNG and Cloud OPSEC Session

Read More

November 29, 2023

Updates to ShovelNG and Cloud OPSEC Session

 

Updates:

Tool Category: Lateral Movement

• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC

Knowledge Sharing:

Category: Cloud OPSEC

Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema

Schedule a demo to learn more >

November 8, 2023
Sleep Mask Additions & New C2 Tools

Read More

November 8, 2023

Sleep Mask Additions & New C2 Tools

 

Tool category: Command & Control

•  Stage 1 new configurable Sleep Masks

•  Cobalt Strike Integrations update: New evasive Sleep Mask added

 

Updates:

•  Outflank C2 Tool Collection updates including 3 new tools

•  Extended support for arbitrary .NET projects

 

Schedule a demo to learn more >

 

October 10, 2023
New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

Read More

October 10, 2023

New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

 

Tool category: Command & Control

 

Schedule a demo to learn more >

October 3, 2023
New Tool Release: regcertipy & Updates to Kerneltool

Read More

October 3, 2023

New Tool Release: regcertipy & Updates to Kerneltool

 

Tool category: Internal Recon

•   New tool release: regcertipy – identifying certificate templates via registry updates

 

Updates:

•   Updated Kerneltool with additional supported kernel/OS versions

 

Schedule a demo to learn more >

September 6, 2023
Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

Read More

September 6, 2023

Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

 

Release type: Knowledge Sharing

•   Added Tech Deep Dive video on Stage 1 automation
•   Added Tech Deep Dive video on Windows Kernel Drivers

 

Schedule a demo to learn more >

August 16, 2023
Updates to PE Payload Generator & Cobalt Strike Integration UDRL

Read More

August 16, 2023

Updates to PE Payload Generator & Cobalt Strike Integration UDRL

 

Release type: Updates

•   PE Payload Generator now has a new loader with favorable OPSEC properties
•   Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

 

Schedule a demo to learn more >