Nathan May
Wednesday, December 10, 2025 | 3 minutes
Malware Development #0
Brief Project Overview
Malware development has been something that has interested me; however, most of my success in customer engagements has been due to using publicly available tooling, not my own work. This blog post will hopefully document my process into creating a custom HavocC2 loader bypassing several EDRs.
Many topics on malware development exist, but I find that writing/teaching about a topic forces me to understand it more deeply.
Current State of EDR
Endpoint Detection and Response in 2026 is pretty solid. One wrong move and you’ll wind up with your process getting flagged as malicious and terminated. Understanding where and when EDR decides to look at a process is the most important thing to know when attempting to remain undetected. Below is a pretty oversimplified explanation of what EDRs look at, and log.
Static Analysis
The original method of checking malware. Scanning for malicious signatures and bad bytes.
Memory Analysis
Scanning of memory inside a process/thread. This is an intensive process, so performing it needs to be done selectively.
Heuristics
Reviewing what your binary is doing, or behavioral analysis. Is it reaching out to a C2 server every 5 minutes? sus. Is it trying to dump LSASS? mega sus.
Triggers
Things that will make the EDR go “Hmm, lets take a closer look at whats happening…” - For example, when you run a thread on newly allocated memory, the EDR probably wants to figure out whats so exciting. Memory analysis will mostly be triggered by heuristics, and triggers.
My Process
I chose HavocC2 because it is open source/free, while also granting the operator granular control over the implant behavior. I want all research performed to be applicable without requiring the purchase of something like Cobalt Strike.
I will be testing against BitDefender, Sophos, and CrowdStrike as those are EDR systems I currently have access to. There will be three primary stages of development, each growing in difficulty to achieve.
- Passing static analysis of a shellcode loader with malicious shellcode - requires obfuscation of the shellcode on disc
- Passing dynamic/runtime analysis of a shellcode loader with benign shellcode - requires bypassing indicators of compromise in how shellcode is injected into a process or thread
- Passing dynamic/runtime analysis of a shellcode loader with malicious shellcode - requires bypassing memory scanning the payload once loaded into a process or thread
Useful Tools
- LitterBox - Analyze your malware using lots of common tools like YARA, PE-Sieve, Moneta, Patriot, RedEdr, Hunt-Sleeping-Beacons, Hollows-Hunter, etc.
- VS Code - You already know what it is
- System Informer (previously process hacker) - for manual analysis of running processes
- x64dbg - for debugging and manual analysis