Cobalt Strike Beacon with Shellter

Hi Guys,

I am continuing my previous post that related to embedding the cobalt strike beacon with evasion tools to enable the safe payload delivery.

Today, I am embedding cobalt strike payload with Shellter Project. Shellter is an AV/EDR evasion tools that implement certain technique to bypass or reduce detection. Shellter is able to embed the cobalt strike raw payload into existing application

Generate Cobalt Raw Payload

First, we need to generate cobalt raw payload. but please remember that Shellter only support upto 250 kilobytes payload. We can only use payload with stager. Generating cobalt strike raw payload steps follow below

Select the listener that you want to use, Select output is Raw.

Save your raw payload into a file.

Shellter Operation

The steps below are to embed the cobalt payload into the existing executable. I am going to show you straightforward steps with auto mode to embed the payload. Please remember that these steps will make your payload easier to be detected. You can do some manual steps for better evasion

Follow the steps below to embed the cobalt strike beacon into an executable. I am using 32 bit putty.exe as the payload host.

Select A for Auto

Select N for No

Type putty.exe

Select Y for stealth mode

Select C for Custom payload that will point to your cobalt strike raw payload

input your cobalt strike myPayload.bin

Select N for No.

That is all.

When putty.exe is executed, the payload will directly run the payload. We can see here below the beacon is successfully contacting the server.


    1. Hi Joules,

      Basically Shellter is great tools, Most AV is able to detect the default configuration. You should be abit creative to customize it. Shellter comes with paid one, It promises coming with better evasion techniques.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s