Control Pack

Injects an independent thread into a legitimate service binary and spawns a companion watchdog process responsible for monitoring the agent’s execution state. If the agent process terminates unexpectedly for any reason, the watchdog automatically relaunches it, while the agent continuously monitors the watchdog and restarts it if needed, enforcing mutual supervision and resilient persistence.

Built with stealth as a core design principle, its agents rely on native system components, staged execution, in-memory techniques, and controlled communication patterns to blend into normal system and network activity. By minimizing artifacts, avoiding unnecessary processes, and leveraging trusted runtimes, it enables effective operations while reducing exposure to detection and forensic analysis.

Control Pack agents operate in a two-stage model to maintain a structured and low-noise workflow. Stage 1 provides limited interaction focused on validating the environment and establishing a stable connection to the Control Pack server, while Stage 2 unlocks full capabilities such as file transfer, screenshots, memory dumping, encryption of documents and process migration once the agent is upgraded.

This agent can run standalone or be injected into a running Java application, allowing it to operate inside a live JVM without restarting or modifying the target. It can discover other Java processes on the system and pivot into them at runtime while providing standard C2 functionalities.
It supports JVM enumeration and runtime attach, enabling in-memory migration between Java processes.

Runs as a DLL inside a Windows Protected Process Light (PPL), using KNOWNDLL loading to execute from a trusted context instead of launching a separate executable. It includes an Unhooker to remove user-mode API hooks, reducing monitoring and interference, and supports process migration to move execution into other processes while maintaining low visibility.

This agent is implemented as a CLR profiler DLL that is loaded through the .NET profiling mechanism at application startup. Once loaded into a target process, it reads its configuration, connects back to Control Pack, and enables in-process command execution and communication without launching a separate executable, allowing the agent to operate entirely within the context of an existing, trusted application.

A lightweight script that runs using Windows’ built-in PowerShell and connects back to Control Pack for instructions. It periodically checks in to receive commands, execute them locally, collect information, and send the results back. Because it relies on existing system tools and can be staged, it starts small and can be expanded when needed.
It includes basic environment detection and cleanup functionality, allowing it to remove itself after execution.

An in-browser implant that runs within the user’s web session and communicates with the C2 server through normal-looking web traffic. It enables tracking and interaction with the browser by collecting contextual data (cookies, page content, plugins, and screen details), capturing user input, executing arbitrary JavaScript, and triggering browser-based actions like alerts or redirects, while blending into legitimate browsing or phishing activity.

Unix-based agent implemented as a shell script runs on Linux and macOS systems. It executes using the native bash environment, establishes communication with Control Pack’s server, and supports remote command execution, system reconnaissance, and file operations by leveraging standard system utilities. Its minimal footprint and reliance on built-in tools allow it to operate without additional dependencies and blend into typical command-line activity.

This agent is an interpreter-based payload for Unix-like systems that executes within the Perl runtime.

It establishes a connection to Control Pack’s server to perform remote command execution, system reconnaissance, and file operations by leveraging native OS utilities, requiring no compilation and minimal dependencies.

A native Windows payload built in C#, which runs as a standalone executable within the .NET runtime and connects back to Control Pack. It provides C2 capabilities such as command execution, system information collection, and file transfer, operating quietly in the background as a regular Windows process.

A cross-platform payload for Windows and Linux that establishes a direct TCP control channel to Control Pack’s server. After a simple handshake, it enables remote command execution and returns output, using platform-specific mechanisms such as an interactive shell on Linux and command execution with screen capture on Windows, while maintaining a minimal footprint.