Go-based C2 teamserver inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops.

https://github.com/armin-hg/NewCobaltstrikeTeamServer

Implementation of the concept of asynchronous Beacon Object Files. It provides a framework for running asynchronous monitoring tasks that can detect events and report back to the Cobalt Strike team server.

https://github.com/9Insomnie/async_bof

Robust Cobalt Strike shellcode loader with multiple advanced evasion features

https://github.com/Meowmycks/koneko

Evasion-Kit for Cobalt Strike

https://github.com/rasta-mouse/Crystal-Kit

Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover

After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abuse dMSAs to take over any object where we have a write primitive. This mention did not gather significant attention from the community, leaving an operational gap for dMSA related tooling and attention. This blog dives into why dMSA abuse is still a problem, the release of a new Beacon object file (BOF) labeled BadTakeover, plus additions to SharpSuccessor, all to show that BadSuccessor’s impact as a technique (not a vulnerability) will still hold a lasting effect.

https://github.com/logangoins/BadTakeover-BOF

https://specterops.io/blog/2025/10/20/the-near-return-of-the-king-account-takeover-using-the-badsuccessor-technique/

Execute PE files in-memory using Cobalt Strike's Beacon, eliminating child processes and consoles for stealthy operations and efficient output handling.


https://github.com/evelyn67a/BOF_RunPe

ColdWer

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass.

https://github.com/0xsh3llf1r3/ColdWer

Rustbof

https://github.com/joaoviictorti/rustbof


This project enables the development of BOFs using Rust with full no_stdsupport. It leverages Rust's safety features and modern tooling while producing small, efficient COFF objects.

The framework provides everything needed for BOF development. The build process compiles your code to a static library, which boflink then links into a COFF object with proper relocations and imports for Beacon's dynamic function resolution.

CS-EXTC2-NTP


https://github.com/ryanq47/CS-EXTC2-NTP

Next-Generation BOF Template | BOF Linter | Obj Rewriter

for Win/Linux/MacOS BOFs

https://github.com/wwh1004/bof-template-ng

Explore BOFs for Cobalt Strike and Havoc C2, focusing on Active Directory attacks and post-exploitation techniques to enhance your security research.

https://github.com/Wanssss1/BOFs

Bypassing EDR in a Crystal Clear Way

This blog takes you from how C2 payloads actually work under the hood all the way to building a fully evasive reflective loader that bypasses one of the best EDR's, covering module overloading with .pdata registration, NtContinue entry transfer, API call stack spoofing with Draugr, sleep masking, and Crystal Palace YARA signature removal. Every technique explained from why it exists, not just how it works.



A Cobalt Strike Reflective Loader built with Crystal Palace — module overloading, NtContinue entry transfer, call stack spoofing, sleep masking, and static signature removal.

https://github.com/kapla0011/KaplaStrike