10-year-old code used to compromise modern networks.
I was recently told that a conference focused on malware analysis and botnet disruption discussed recent trends in malware. One particular talk covered several groups, including SmokedHam, and my name came up in the conversation.
Why does all of this matter from a red team perspective? Here is a short story. Almost 10 years ago, I published a tool named ThunderShell on my GitHub: https://github.com/Mr-Un1k0d3r/ThunderShell. I came up with the name while watching a movie that mentioned Thunderpants as I was writing the code. I have been trying to remember which movie it was for years. If you know the name, please tell me.
The code was designed for red team exercises at the time I was working at Mandiant doing red teaming. The reason I originally wrote this C2 was simple. I needed something that would go undetected. PowerShell was trendy at the time and poorly detected, so I decided to use PowerShell to load an obfuscated C# payload that was the actual malware. It could be executed either via PowerShell or compiled directly as an executable.
Most C2 frameworks relied on shellcode to load payloads in memory. I chose not to use that approach to avoid the detection associated with memory-related techniques and to remain stealthy at the time. Not using shellcode limited detection opportunities related to process injection, memory allocation with read, write, and execute permissions during VirtualProtect calls, and avoided several Windows APIs that are heavily monitored by EDRs, since I did not need to manage shellcode. It worked well, and I was able to conduct multiple red team engagements without being detected. This was nearly 10 years ago.
Fast forward to today. During that conference, they discussed active groups such as SmokedHam, Parcel RAT, and WorkersDevBackdoor, all modern C2 frameworks used by attackers. What they all have in common is that they are forks of my original ThunderShell project. Even AI is capable of correlating all of these elements.
What is interesting is the shift within the industry. Attackers are opportunistic, not red teamers. We do not choose our targets because they are easy, but because it is our mandate. As a result, we tend to test more mature organisations with detection in place, which has pushed us to develop evasion and bypass capabilities far beyond those of traditional attackers.
I strongly believe that today attackers are learning from us, not the other way around, because of the level of detection in place. As red teamers, we release many tools publicly that can be misused by attackers, but the primary goal is to raise awareness. If vendors and organisations are aware of a specific technique, they can improve their detection, and that is what matters.
A simple example is SCShell, another tool I released more than 7 years ago on my GitHub: https://github.com/Mr-Un1k0d3r/SCShell that enables fileless lateral movement and is still relevant today. Once it was released, several vendors studied it and improved their RPC visibility to detect such activity. It worked, and detection improved. NetWitness wrote an interesting article about their approach.
This is what sharing is about: improvement. I could not be happier to see a company investing effort to increase its detection capabilities, as mentioned in their post.
Back to ThunderShell. It was written 10 years ago and archived more than 3 years ago because I considered the approach obsolete in its original form. It is no longer useful to me nor effective against modern detection. However, attackers rediscovered it because the underlying technique was different from what was done more than 10 years ago and, in many cases, still is today: no shellcode and in-memory execution. I was ahead of my time when I wrote it. The code is outdated, but the concept persists and remains valid.
Many people argue that red teaming is unrealistic because of its level of sophistication. The reality is that if you are ready to undergo a red team engagement and have solid detection in place, you are better prepared to face the threats of the next few years. This is a perfect example. Ten years ago, such techniques were considered too sophisticated. In 2026, this is what active malicious actors are using.
Red teaming is about readiness and capability. It is about being prepared to face future challenges and remain secure against upcoming threats that will not be coming from red teamers next time.